Well, as someone who spent 7 years doing security risk assessments with a variety of healthcare organizations to help them be HIPAA compliant, AND who has the HCISPP cert (agree they shouldn't have dropped it, but more people should have gotten it), I am pretty familiar with this area.  FWIW, I am now a CISO/DPO (and HIPAA Security and Privacy Officer) for a small Business Associate in this space.

I should point out that neither HIPAA or SP800-66 are compliance frameworks.  HIPAA is a regulation, and 800-66 is about how to implement it.

And if you learn about compliance frameworks (RMF, NIST CSF, 27001, CIS Controls, et al), you will find that the HIPAA regulation is largely based on 27001.

Also, you should become familiar with HITRUST and their CSF.  MANY in the healthcare space get certified against the HITRUST framework.  In fact, my company is certified and has SOC 1 and 2 reports.  This is because our clients, all large healthcare orgs, demand it.

So with that said, based on my time as a consultant, the BIGGEST problem is that too many in the healthcare space just do NOT understand the importance of cybersecurity.  And to a degree I understand this.  They are focused on provide healthcare to their patients.  But at the end of the day, they still brush off cybersecurity and refuse to accept its importance.  I've seen too many cost cutting as related to this.  Not wanting to spend money on secure storage or even firewalls because of this.  (I had one doctor say that since firewalls weren't SPECIFIED in HIPPA, why implement them....)

What about others?  I got LOTS of stories I could share of the horrible things I saw