"Some expensive hardware (such as MRI scanners) cannot be updated immediately, and in such instances organizations will take steps to mitigate any risk, such as by isolating the device from the main network,"
Shouldn't that be "have already taken steps"? You know, like when they first knew they weren't getting any more security updates. Back in the days of floppies we called it sneakernet although write protection to ensure data only went one way was easier then. I imagine some similar protocol can still be done but it still relies on meatsacks getting it right.