You might want to check the small print in whatever contract the independent practice has with the hospital. There's a chance hospital IT has hired a security firm to do a security assessment of their network, and that would include you in the scope as well.
Even if you aren't necessarily *in* the scope of the assessment, you are an attack vector into the hospital's own network and as such you will probably be probed and poked at.
Step 1 would be to ask hospital IT for the paperwork on the security assessment and see what's in scope and what's not, and if you aren't in scope, a firm statement to the effect of "get the f*ck out of my machines" would hopefully do the trick.
Following it up with some better agreements on who notifies who when things like this go down would also be a good step.
If hospital IT stays unresponsive involve law enforcement.