Its the bad guys faults hospitals run on MSDOS and a prayer? Maybe a little.
Hospital infosec tends to be a joke. They have nice access controls inside the hospital, locking up meds behind badged vending machines and the like, but when it comes to infosec they comply with the bare minimum HIPAA says and thats it.
Medical field is a prime target for ransomware and other hacks because of this.