"Manufacturers tell healthcare pros the equipment should be always connected to some backend, contrary to the advice of security clearing house ICS-CERT and others."
This is where procurement should push back. Make it clear that if equipment has to be connected to a backend without that being a functional requirement then it won't even make it to the long-list. If spurious recommendations that it be connected aren't removed from the bumph it won't make it to the short-list.