Would you trust each doctor to know enough about IT security to be capable of protecting patient data without hiring someone else to run their enterprise IT infrastructure?
No. But I would expect that the government (or a doctors professional organization on behalf) publishes a list of things he is allowed to use to work with patient data. Windows 10 shouldn't be on the list in my opinion.
Is there any reputable audit of this? Beyond what Microsoft claims?
This is a difficult problem. The software could be audited by an independent third party. However each update needs to be audited as well. Furthermore the binary of the initial state and each subsequent update binary would have to be signed by the auditor in a way allowing independent verification of the signature.