As a small business consultant who has run into this problem a number of times, as you said, airgapping doesn't always work. However, I have one customer who is security conscious and would rather alter his way of doing business than expose customer data and infrastructure to viruses.
Two separate networks run on two separate switches (yes, VLAN's could have been used, but the switches didn't support them). Each port in the building can be configured to the internal or external network. Wireless is only available on the external network.
To this end:
1) The ultrasound computer is airgapped because it's running Windows XP. Specifically, the software for the US machine is very old and only runs on XP, and upgrading would be a $10,000+ purchase (new US machine, not just the software cost).
2) The records keeping and accounting is separate from the internet. Customer records are only available on the internal network, and not connected directly to the internet. These computers are thin clients with USB mass storage support disabled.
3) The internet computer is a disposable kiosk computer, which has no access to customer records. If someone wants to look something up (ie. rare disease), that computer is available for that. It's also accessible for emails.
This has worked remarkably well. In the (extremely rare) event that an US picture needs to be emailed, the US computer is briefly connected to the internet behind a NAT firewall. We've had zero viruses or known intrusions on the internal network in 10 years.
The doctors at this office are accustomed to the inconveniences that this brings, but they work around those issues. They did business for over 30 years with paper records, and they see no need to switch. The idea that some sensitive data gets leaked or hacked is more important than the minor efficiency gains they could achieve. However, this is a rare case. Most of my customers demand all their computers be internet-connected.