Regarding altek's Point 3 -- Why windows? Why not? Being "not windows" doesn't really help security. We had a medical system with a flavor of UNIX on it. The vendor (won't mention the name, but it starts with A and ends with GFA) didn't seem to bother to put ANY protection on it. So it was penetrated and taken over by by an IP from another country, possibly one that starts with an I and doesn't speak Arabic and doesn't say 'Bjork' and isn't in southeast asia. So we had to send the hard drive off to 'the authorities.' The vendor put their stuff back on the new drive, AGAIN didn't bother to patch the OS, so AGAIN it was penetrated and taken over. Because the box was too pure (being UNIX and FDA-approved and all) they didn't seem to need to do ANY security patching. And they sure complained about having to send a tech down to load the new drive (both times).

But at the same time, I work in IT at a hospital, and our support contracts include on-site fixing by the vendor, but the vendors normally try to get our IT guys to be their eyes and fingers because it is CHEAPER than sending out a tech as the contract requires. And our medical folks don't want to wait until the vendor sends out a tech. I've been bitten too many times by trying to "help" our radiology folks with ther PACs system or our pharmacy folks with their P2000 system. Even if built on Wintel, these systems have too many odd outside-of-the-norm bells & whistles to allow us non-vendor techs a warm-fuzzy feeling when working on them. So dammit, vendor, I don't feel bad about you coming on site, because we PAY you to do so. But be sure to let us know before you come so someone from our IT section, familiar with your system and possessing the admin password, can come help. It doesn't help us when you pop in unexpectedly and the system-associated local tech is 40 miles away.