It's hopefully not connected to the internet, but to the local network. Many medical appliances in hospitals expose remote control over regular tcp/ip, Preferably running Windows XP or CE.

I wasn't seriously suggesting it was directly connected, but my understanding (and I am far from knowledgeable when it comes to security) is that mission-critical devices should be physically 'firewalled' from the Internet, and even any network.

If you do that, how do the images get from the x-ray machine to the radiologist for analysis? How do they end up as part of the electronic health record & accessible for future use? If you create an air gap and ask people to use USB sticks to move data from "mission-critical" systems to the main network, you only slightly reduce the risk of those systems becoming infected and you now have a situation that's much less convenient (time is money) and creates a new vector for leaking personal health information.

They should be; but security in government organisations is pretty bad. They are heavy on security on it, but in completely ineffectual areas.