If patients can get free Wi-Fi at McDonald's, they'll expect it when they're at the hospital. The key, of course, is to give patients what they want without exposing PHI and other sensitive information. Subnetting, or creating subnetworks, is the best way to do this. Set aside part of your network for public use; limit guest activity to the browser. Use separate, more secure subnets for business applications, any app that touches PHI and any app that's involved with credit card transactions. Another subnet for those old medical devices may be a good idea, too. As stated, encrypt each subnet in accordance with Wi-Fi Protected Access 2 protocols, and change WPA2 keys frequently.