I worked as an IT Manager in a hospital for a few years, and know a little bit about this... The first issue is that these systems typically CAN NOT be upgraded, and this is not due to the MFG not wanting to upgrade, this is a FDA compliance issue... If they upgrade the software, they have to do some very expensive certifications with the FDA, these same certifications delay the release of medical equipment to the point that much of the technology is already close to being outdated when it hits the market.
Our solution, which seems simple enough, was that every type of medical equipment was located on a different physical network (for critical pt. monitoring equipment) or at a minimum a seperate VLAN on the main network. All network access to this equipment was blocked except for very specific exceptions that were allowed based on the absolute need of that piece of equipment. We had no issues with any of these infections or malware, although it did increase the man-hours overhead especially when working with the vendors that would sometimes wonder why they could not hit the internet from the X-Ray machine ... but we managed just fine.