For security
Use Windows Server 2003/2008 with strong passwords, limited user account, authentication with 802.1x and a RADIUS server. Good antivirus, IP Filtering, antispyware and iron fisted IT policies of not installing unapproved software like "file sharing" and internet games are just an necessary.
Using 802.1x allows you to allow/revoke users on Windows Domain. Using WPA/WPA2 alone on each workstation computer is more risky because that information can be discovered, compromised, etc. and is not centrally managed. The encryption certificated is installed on the client computer without ever being broadcast across the network.
Using MAC filtering is a waste of time. The MAC is broadcast by the client computers and can be easily spoofed. It is just an administration headache with little benefit.
Using a hidden SSID is useful.
Reliability
Windows server placed on good hardware. Do not go out and buy the Staples $50 toy router. Get an enterprise or small business class router appliance. Usually $200-500. Cisco makes pretty good stuff. I do not have any recomendations, I flash my home routers with DD-WRT but that is a "hack" job. My clinic is part of a group with IT staff that use Cisco routers.
Affordability
That is a relative concept. What is the affordability of an unsecure system? Cost is only one part of the problem.
