I'd argue that hospital computers shouldn't even have Bluetooth, but that aside, you can still achieve outgoing communication without allowing incoming communication. Yes, a hacker might break into an office, hold an employee at gun point and gain access to their account and then move laterally, but that's a very different threat model than "somebody ran an exploit scanner on the university's AS and encrypted our servers".
