There are plenty of reports of hospitals using out-of-support Windows versions (95-XP) with known vulnerabilities on _networked connected_ devices. ( https://nakedsecurity.sophos.com/2020/02/20/nearly-half-of-h... )

On the parent comment I am not saying that hospitals aren't HIPPA compliant but rather that the security expectations of credit card data are higher than medical data.