In my experience completely separated networks are required.
So that we don't get offtopic on this, other reports I was reading (eg: ransomware) were initially equating this to a ransomware style attack, though it may have been some other form of malware.
The hospital hasn't disclosed details from what I've been able to find to describe the exact attack or what they did to restore things. One very possible approach could have simply been a good backup strategy where they could restore systems to a prior working state and then attempt to locate the infiltration source if it was a network attack vs. something like a USB/sneakernet attack from someone's infected thumbdrive.
From my own experience, I've seen deployments like these where multiple users outside of the security team want access to video streams, which makes it very hard to adequately lock down and isolate things.
One thought I had is that HTML/WEB gateways may make it easier to protect against these kinds of problems. You can limit open ports and in many cases the web gateway can be run on a separate machine which helps eliminate direct data transfer between a client machine and the server holding the actual video.
In some cases you might lose functionality by restricting some users to an HTML interface, but many times you have users that only need basic live viewing or occasional recorded video review.
While isolated or dedicated networks is one approach to a Healthcare environment, with the emergence of the IoT (Internet of Things), it is getting to the point where it simply is not feasible to do. SDN (Software Defined Networking) is driving simplicity and dynamic capabilities into today's networks as opposed to rigid complexity. Networks are now becoming subservient to the very applications that run on them. In other words, an application, device, or IP camera will be capable defining its requirements, and the network will dynamically deliver the requirements in a zero-touch capacity. While this will simplify installations of Video Surveillance, it will also raise security risk. Components that belong to the Video Surveillance solution will be placed in their own VRF (Virtual Routing and Forwarding) Container automatically.
VRFs have been around for quite some time, and commonly used in integrated networks to create secure containers for applications like surveillance. Deploying a surveillance solution within a VRF keeps security data confined within the VRF without requiring a dedicated network. Throughout the years, I have deployed many successful airports, hospitals, and critical infrastructure using this approach.
Simple, always create an isolated (no outside access) physically separate network for IP CCTV (all security). There are a lot of reasons this is smart, but security of the network and its assets is the best. If you need the admin and security network to talk to each other (say, for remote access - or to reach an access control database) handle these transactions via a firewall.
Use a VPN with authentication for remote access, password protect everything and if possible a separate network.