The healthcare industry as a whole is extremely bad.
I want to say "exceptionally", but I honestly don't know.
I have worked directly with many of the biggest names in health insurance and doctors groups. Just last week, we had a strong insistence from a doctors group that they could not do TLS. It turned out that their parent company had already implemented it (and I had personally validated it), but whomever the local "technical" person was was multi-dimensionaly clueless.
We updated our SFTP servers a couple of years ago--it broke some of our connections because their servers, coming from one of the larger health data exchanges, could only support ciphers that were no longer supported by sshd on the updated server. The IBM India contractor created a ticket to update their connection to support the oldest cipher suite my updated system could support.
Last fall, we had a mid-sized insurance company insist that we log in and pull data from them--except their sftp server only configured to support cipher suites that had been deprecated for ten years, and that were now finally dropped by ssh client.
Not to mention UHC.
And of course, these are the SAME companies that are insisting that we rotate everyone's passwords every month or three despite NIST reversing that recommendation--in 2017.
The thing is, that the ongoing cost of securing services is one that the bean counters see as optional. And the truth is, in the current legal environment it is. That's the dirty little secret. Look at Enzo's financials.
Until we get criminal individual negligence involved, nothing is going to change.