1) Vendors of these devices almost across the board disallow local IT admins to put any windows patches on the machines
- this is due to FDA requirements for approval, and the vendor is "covering" themselves
- also, they usually have a list of "qualified updates" that is usually MONTHS behind MS's patch cycle (not surprising given the sheer number and speed of holes that are found)
- usually the vendors claim that THEY will apply patches regularly, in practice, they almost NEVER do
2) Vendors typically disallow these machines to be on the active directory
- this is because they can't stand troubleshooting/supporting issues in their software due to GPO's being pushed down, software management software, etc etc
3) To everyone screaming how idiotic it is that medical devices have Windows on them: you may be a geek, but have clearly never worked in a real enterprise environment. Windows is embedded on so many devices in the world (medical and otherwise) that you would never even know existed. Why? Because it's widely supported, has huge hardware support, and is surprisingly OPEN to developers to hack it into whatever they need it to be. And windows programmers are a dime a dozen.
4) To everyone screaming how idiotic it is that medical devices are connected to the internet getting infected - Do you even know how Conficker spreads? It spreads quite easily across a LAN, attaching to Windows file shares. See MS08-067 for more info. Many of these devices are on a LAN with no DNS (although plenty are on the 'net). Why? Again, because vendors insist that they be connected so they can VPN in and support them (often using LogMeIn, Webex etc).