I worked in Hospital IT
The problem most likely isn’t in the IT Department.
Our HR & Accounting department insist on running ADP timekeeping & payroll using Java
It is a full time nightmare
Run the Java via a secured hypervisor. This is easily achieved by running it in a VM on the workstation with restricted permissions between the host OS and java-enabled VM’s OS. The Java VM should have it’s NIC disabled and NTFS permissions locked down so the only external accounts to have access are the host OS accounts. Host accounts should only have Read access the java VM’s data files. Host accounts should NOT have write or modify on the VM OS since that is done within the Java VM and it is not necessary for creation of the data files. Similarly, all the Java VM OS accounts should be denied access to the host OS, even System.
If networking is needed between the Java-enabled OS setup a private IP subnet in the core router fire-walled off from everything else.
Oh, and install Key Scrambler for cripes sakes.