Policies and Procedures exist for a reason. I support this and will always try to work within 'the system', whatever that may be. If you find 'the system' isn't working. Take the steps necessary to improve it, and carry on. Wash rinse repeat.
To that end, my recommendation is to have the doctors get involved. Absolutely, beef up their security, have good intrusion detection, prevention and reporting. Get security to advise the doctors ahead of time about the planned 'attack', and report back the findings. Be the blue team defending, let them be the red team. Make sure you've done your job right.
I would consider this to be no different than regularly restoring your backup data. You do that right?