A hacker's attack against your system involves a complicated sequence of activities. The best protection is achieved by disrupting each of these activities. In that way, the defense against the attacker is not dependent on the success of any single protection measure. This is an important security principle is known as defense in depth. Hackers follow a routine set of activities when attempting to compromise a system:
 
Reconnaissance. The hacker seeks information about your systems, your organization and your staff. Some of this information may be provided by your systems as feedback to anyone attempting to connect to them, some through publication of your resources in Internet directories, some through mention of you organization in trade publications, mailing lists, blogs and the like.  Hackers use this information, collectively referred to as a 'footprint' to focus their attacks against your systems.
What you can do to reduce reconnaissance: Instruct your vendors and technical support staff to configure systems that only information required to support authorized protocols is displayed.

Scan for Vulnerabilities. The hacker will use automated tools to find known vulnerabilities in your system. Security research has shown that instances of poor design, logic error, and program code faults can be found in all kinds in operating systems, database platforms, applications and software utilities. System vendors publish software 'patches' or 'security updates' to correct many types of vulnerabilities. Even so hackers continue to develop new means of exploiting known and newly discovered vulnerabilities in order to steal confidential information, disrupt system operations or get the system to execute the hacker's commands.

What you can do to reduce vulnerabilities: 1) Eliminate the known vulnerabilities in your systems. Ensure your technical support group subscribes to the 'notification service' of each of your vendors to ensure the 'patches' are installed in a timely fashion. Patching should occur on any system that feeds or is necessary to the proper operations of the EHR system, including operating systems, web servers, and databases. 2) Use hacker tools to scan your own systems. Have your technical support staff routinely conduct external 'vulnerability scans' . This will give you a hacker's view of your system and allow you to identify areas of high risk.

Exploit the vulnerability. Once vulnerabilities have been identified, the hacker will execute a collection of exploits to accomplish the goal of acquiring confidential information, corrupting or otherwise gaining control of your systems. Executing these exploits takes time and thus provides a window of opportunity for disruption.

What you can do to stop exploits: Configure the 'intrusion detection' aspects of your systems to 'alert' your technical support staff of unusual system activity that may indicate an ongoing exploit of your systems. Intrusion detection monitors are built into most systems. For example, the Windows operating system provides an alert whenever a large number of failed logins occurs, which indicates there may be an automated process attempting to gain access using default or very simple passwords. Additional specific intrusion detection products can be used to observe target traffic (or messages) that are evidence of well know exploits. [Intrusion detection, SNORT]

Cover tracks. To escape responsibility, the hacker will attempt to erase or otherwise obscure evidence of the attack.

What you can do to ensure accountability. System logs are critical to identifying the attack source and associating it with specific system events. Audit logging should be enabled for all relevant systems with storage sufficient to maintain adequate storage for later use. Systems should be configured so that special privileges are required to modify or delete the audit logs. Furthermore to ensure accountability, always use the strongest practical methods to authenticate users, network connections and systems.
 
Resources - Reconnaissance

• Attack vs. Defense on an Organizational Level -- a SANs publication (2007) that explores the changing motivation of hack attacks. A theoretical cyber attack and defense scenario between fictional organizations, using real techniques and tools for both attack and defense is discussed in detail.
• The Art of Reconnaissance -- a SANS Institute publication (2001) that discusses basis reconnaissance and footprinting.
• Tools, Tools, Tools -- a SANS Institute paper (2001), providing a quick reference on popular tools for detecting security problems. The paper gives a brief explanation on how they work and where to find them.

Resources - Vulnerabilities

• WhatWorks -- a user to user program in which managers who have implemented effective security protections tell a complete story of why they implemented it, how it works, how they know it improved security, what problems they faced and what lessons they learned.
• Introduction to Vulnerability Scanning -- a brief article introducing the concepts of vulnerability scanning--how it works, what it checks for, what results are generated, and how to use them. A list of some scanning tools and products, including free tools, is included.

Resources - Intrusion Detection

• SNORT -- an open source network intrusion prevention and detection system that is the de facto tools for IDS scans.
• Understanding Intrusion Detection Systems -- a SANs publication (2001), presents a step by step approach to implementing Intrusion Detection procedures.
• The Essential Guide to Intrusion Detection and Prevention Systems  -- From IT Security (2008). What you need to know about intrusion detection and prevention systems to keep outsiders from wreaking havoc on your network.

Resources - Audit Logging

• NIST SP 800-14 (PDF - 187KB)  A NIST special publication on securing computer systems. It covers audit trails from a high-level perspective.