I run a security company and we focus on healthcare. In general health care is well behind other industries in regards to IT security. It just has not been a priority. The Feds are enforcing it now and people are trying to catch up but most don’t have the money or know how.
With that said, the Chinese get into the most secure systems. Fighting them defensively isn’t going to work.
But why can't my doctor just keep my info? Why does it have to be on computers with many others where it is almost certain to be a target for cybercrime?