I can't say I blame you, I would be late for the door in seconds myself...
Scary is it not? Assuming you are right, they have a $50 million development cost for the software they already have, presumably with no maintenance plan / life-cycle management and obviously, no end-of-life date set even though Microsoft blew their horn at 120db years before support ended..
The fact that it is a hospital that handles sensitive data is what makes this go from a laughing to a serious matter. A good AV solution is in this respect false safety as it is for the most signature based.
That means it is just like any viral infection is for us, first the virus is discovered, then we develop medication/vaccine and in an environment with sensitive data, that is a point of great importance.
What seems obvious to me (regardless of funding) is that someone must have failed somewhere when it comes to configuring a tight group policy security-wise to work around lack of funding and minimize impact. Probably even added the domain user to the local computer administrators group, to save themselves the extra overhead in day-to-day work. This gives the user the install privilege and without UAC, a free path for the infection to have a unrestricted party.