Re: What do they need this for?
3. is most of the problem. Lots of 25+ year old proprietary stuff that either no patches exist for, or the patches that DO exist break other things. Hospital systems are a horrible, horrible mixmash of ancient tech, brand new tech, and duct tape.
It's no different to corporate IT. We recently "upgraded" to a new outsourced HR solution. It doesn't tick any of the boxes that IT "required" of it (federated SSO, 2FA, device independent, no activex), but it's the choice of the the HR VP so that overrides any other concern.
Actually we could have had the federated SSO and 2FA, but the beancounter vetoed the extra £3k pa that would have cost us in license fees. Still wouldn't make it work in ¬(IE > 6, IE < 11).
When your hosted solution requires ActiveX to draw a calendar on a webpage, you know you've made a wrong technical choice...