Why?
Why are their firewalls so open?
Why are they not running AV?
Why is their AV not doing real-time file scanning?
Why is AutoRun not disabled? (gpedit and TweakUI are your friends; if I can do it, any moron can. Although I was mightily pissed to see a recent MS update seemed to have re-enabled it)
As to the Linux fanbois...as much as I like (and use) Linux, do think for a minute. If the software only runs on Windows, then running Linux is a bit stupid. No one will be able to get appointments then! Yes, there is WINE; but that is not applicable for these cases (and that's according to the WINE folks themselves: "Wine is still under development, and it is not yet suitable for general use." http://www.winehq.org/about/)
Now, you can pontificate all you want about how the software should have been written to open standards blah-de-blah; but the fact remains that it wasn't. Even if it were a web app, knowing the NHS, it would be IE6 only. So the clients have to run Windows. Even if it had been written in Java, there's a good chance that there will be problems in moving from OS to OS/JVM to JVM. Never mind the fact that Java client apps are bloated, ugly and painfully slow.
That means the admins should know how to secure Windows, or someone needs to bite the bullet an say "This is crap, we want to spend millions on new software that does the exact same thing". Then two things will happen:
1) You lot will be back on here bleating about the waste of money "Why do they need software they already have?"
2) MS will simple sprinkle some sugar on the correct MP/civil servant and the idea will be scrapped anyway.
You may not like it, but that's the way it is.