Based on my experienceas a security analyst and just knowing how doctor's offices work, it would require an external person auditing the system to make a determination if the system has been compromised.

Systems deployed in doctor's offices tend to be small networks or stand-alone systems; those in hospitals are much more likely to have a degree of security associated with them that would log changes. All too often, the systems in doctor's offices have an older operating systems which are more readily "crackable".

Example: using a program called StealthAudit from Stealthbits, it is possible to determine (on Windows systems) whether or not someone attached a USB device to a port and if traffic flowed to that location. If installed, a host-based tool can detect if changes were made to local files (works on both a server or desktop and Tripwire can do either of them). Network sniffers can locate traffic flowing out of a desktop across the wire to internal external systems if monitoring is implemented (Wireshark).

There are a myriad of tools which a motivated person can try and obscure what they are doing and security professionals have a similar suite to try and detect forensically what has happened on the same system.

The real dependency in your story needs to be the motivation of the perpetrator - is s/he very capable as a "cracker/hacker" or someone with limited capabilities? What you decide here will determine what they do and what they will likely leave as a tr4ail that can be found by a forensic level audit.