In the case of hospitals there is absolutely no reason why Nurse Jones should be able to infect critical patient equipment with malware all because she wants to cruise Facebook from her cubicle (on an unpatched Win XP box running IE6 no doubt) during her lunch break. If the patient machines were air-gaped, this would not be an issue.
Of course, the hospital will argue that they need remote access to these machines from within the hospital (say in a doctor's office down the hall or from the head nurse's desk). That's easy to achieve without exposing the critical machines to the Internet. It would be slightly more expensive, but the expense is nothing compared to the potential lawsuits that failing patient monitoring equipment would surely bring.
|Physical separation of secure government networks.|
Would this require the nurses and doctors to have two separate machines on their desktop? Well that is the safest way, but it's not the only way. Another solution would be to have each workstation have two separate domains -- one "untrusted" domain for the Internet and non-critical work and another "trusted" domain for the patient monitoring data. This could be achieved through virtualization. One could either run two separate OS's in a virtual machine or utilize something like a Mandatory Access Control system (SELinux for instance). Another option would be Qubes which enforces domain separation using a hypervisor and virtualization. Thus in this case one could have a window on the screen that is secure and another window that is untrusted. Neither window could interact in any way with the other (unless someone broke the virtual machine, which is possible in theory but much better than what we've got now).
These same ideas would apply to power plants and other critical infrastructure, but will these simple, yet effective, ideas be implemented in that sector? Probably not (or at least until after something bad happens). Why? Because it's too simple. The government would rather award some contractor a few billion dollars to "solve" the problem in some convoluted and ineffective manner.
Of course, it would be great if these critical patient monitoring machines (and in the case of power plants, the SCADA machines) didn't run on Windows. But, as they say, "it is what it is" and I don't see that changing any time soon.