I work in the managed IT services space, and honestly given this is a health organization and HIPAA applies, I think they're being rather nice.
If you're able to build a box, connect it to the hospital network, and get a port opened to the outside world where you are potentially storing PHI (face it, you're going to end up with at least a peppering of health information in even just the subject entries let alone the details for the calendar). . . that's pretty lax on their part.
Does the hospital outsource their IT support? If yes, I'd jump on the opportunity to move forward with "just providing a login", because if this works it's way up the chain you'll no doubt be taking that machine how with you soon :)
If the hospital manages their own IT, you're chances are better since there's probably less worry of finger pointing in the event of a breach.