[tptacek]

Why is that a "temporary" fix? Segregating insecure protocols to VPNs, encrypted tunnels, and backchannel networks is one of the oldest most time-honored tools in the security design toolbox. Not only is it a real fix, but it's probably the right fix.

[toomuchtodo]

If systems are life critical, you go so far as to use leased lines or other physical layer segregations. Treat it like a refinery, transformer substation, or natural gas pipeline terminal SCADA system.

EDIT: Easy on the downvotes folks. If you disagree, engage me in discourse. As an infrastructure/network/devops/it generalist role, I have seen terrible things happen when you don't properly segregate critical systems from public networks.

http://scadastrangelove.blogspot.com/

[jarman]

Especially considering that protocol will be bound to expensive, long-living and heavily certified hardware, so it will stay there for decades.

[thirsteh]

You must not have gotten the memo: Google exposed some of their corporate systems to everyone, therefore VPNs are now useless and have always been useless.

:)

[jasonjei]

Agreed. Trusting VPNs to be totally secure, especially on a big organization like a hospital, seems insane. At the surgery level, you want to make sure the malware infected laptop or some open wireless access point doesn't come up with more creative surgeries.