They are pen tested. Now same question, what happens when the ransomware infects a hospital?

Has happened before.

Responsibility always lies on those who created the malware.

But also on hospital IT if they didn't take precautions.

> But also on hospital IT

Hospital IT soaks in a special set of impossible choices.

Vendors lock them to insecure OSes and inflexible contracts. Regulations are equally inflexible. In general, security is in tension with providing patient care, especially in emergency situations. And all this stuff is super expensive, which means making do with old gear in a lot of places.

I am in no way defending incompetence. But the reality is grim.

Yea it’s not like a MRI machine you bought only uses Windows XP

Their ability to hold back infrastructure updates for old but still functional equipment is government tier.

Sorry but I was being unclear. The MRI machine's supplier designed it using Windows XP and they don't offer anything else. Sure it should be either airgapped or networked on some type of VLAN / quarantined by outside access but that's not my point.