Before I begin let me preface this post by saying I work in a hospital in the IT Staff, and I have for the past 10 years now (as scary as that sounds to me typing it out). At any rate I can say that malware, spyware, virus' etc are a constant concern for the staff here. When I started working here it was the 'Wild West' for computing, people did what they wanted, when they wanted to on their computers, and we've slowly curbed that. Especially now that electronic medical records are being used.
The key we've found to keep malicious software off computers used for medical purposes, or with confidential data is actually three fold -- First segregate those devices with ePHI (electronic protected health information) off onto their own network, strip the computers of all but the most essential software, and the medical staff all have to sign agreements when they're hired that strictly prohibit them from using computers for personal tasks. Want to check your e-mail? Bring in your smart phone, or laptop etc, and do it with that device (we actually provide a wireless for the entire staff to use 'just' for that purpose). Nobody can keep 'on task' all day, so allowing them the outlet with some caveats has been a great success.
However, all machines that have access to the ePHI network are imaged once put into service, but we re-image the machines on a staggered schedule so every 6 months they're a fresh install. Virus software (AVG) is installed and on an automatic update / scan schedule as well -- with a central server that reports results to us. Also for security concerns every Laptop is encrypted (thank you Truecrypt), and every device that accesses ePHI comes through a VPN. If a Laptop get's stolen (and one has in the past), the VPN access for that device is revoked immediately. So between the VPN and Encryption, the odds of a 'break' in our security are astronomical.
Anyway all these procedures may seem a bit excessive, but we've yet to have a PC with ePHI or EMR softwaret be compromised where I work thanks to them. I sleep slightly better at night thanks to this system actually. I do know of several other hospitals / medical facilities that are far far less secure though, and frankly it scares the hell out of me how cavalier they are about the whole ordeal. One of our doctors is Per Diem and his home office supplied him with an unencrypt, unsecured, laptop with full admin rights, and their EMR software installed on said Laptop for his free use.
PS -- A tip to anyone working in a medical facility, one of the ways we had our providers (Doctors) agree to this stringent of a system was to point out that infractions where ePHI is compromised put their necks on the line, even more so then they do ours. So all this security is for their benefit as much as yours. Also, this goes double if you have a counseling staff because the rules around ePHI regarding counseling services are even more strict and crazy. Anyway hopefully that helps someone out.