Yep. You'd have to either know what was on the whitelist or do some kind of bruteforce. Wouldn't be very hard, although I think this stuff is logged centrally in organisations as data-paranoid as the NHS so some random box hotplugging thousands of different peripherals every minute would attract attention pretty quickly, you'd hope.

When I was (working) at the hospital most of the records were still on good old hard-to-steal paper. Still are IIRC, the governments plan to IT-ize it all was fucked up by the vendors in exactly the way you'd imagine.

Or you could safely assume that it's either keyboard made by Dell, IBM, or one of few well known companies.