More accurately, they are NOT tech professionals, the type of people who do IT for small private practices are not that good either and they really just don't know for the majority of it. You really can't expect these people to understand the full consequences of stuff like encryption, offline vs online media and more. To them, if it has a user name and password, that is safe right? Use the HIPPA lockbox software and it should be good right?
In the past before computers they would be putting these in files on a large file folder shelving units with colored folder tabs behind a counter and the only real security was a receptionist that would stop you if you tried to interact with it, and they locked the door to the office when they left. If someone broke into the office back then too, your medical records would've been stolen & unencrypted (beyond the illegibility of most doctor's handwriting) and as a society, we were ok with that security level.
You're probably right that ignorance is the root of their apathy. Hopefully with this event making the news, doctors at least in the same specialty will hear about it and do something. Unencrypted offline records physically secured in the office building seems more than adaquate in all but the most exceptional scenarios though. Maybe it wouldn't be good enough for doctors of high-value targets (celebrities, politicians, etc.) Burglars targetting medical records seems uncommon.
Harsh fines are probably the best way to make doctors care though. If they know they risk financial ruin for not securing their records, they'll have a strong personal incentive to remediate their ignorance.
I'd think it specifically of doctors who specialize in human bodies, not computer stuff. SolarWinds on the other hand could not possibly be excused for ignorance.
One of my first jobs out of college was working at a medical school. Doctors in general think computers are magic and that compared to their actual medical expertise programming is easy. I neither expect nor, to be honest, want them worrying about computer stuff. I won't try to tell them how to cure sick people.
I don't want them to be tech professionals. I want them to use the best in class tools they can get, which it turns out are also the easiest to use and often the cheapest. If this surgery practice had just kept their photos on Google Drive with GSuite admin policy enforcing 2FA, they would have been most of the way to gold standard infosec and also would have dramatically better real-world durability and availability. Any consultant could have set them up that way in an hour.
That doesn't protect against the kind of attack that compromises the end point (wait for logged in 2FA state, interact with browser in the background with exact same state in a headless mode and download), and you do not know when they set up their systems where Gsuite, 2FA & HIPPAA / UK Equivalent agreements were even available back then.
For all you know, they could have had that system too, the article does not say what it was.
In the past before computers they would be putting these in files on a large file folder shelving units with colored folder tabs behind a counter and the only real security was a receptionist that would stop you if you tried to interact with it, and they locked the door to the office when they left. If someone broke into the office back then too, your medical records would've been stolen & unencrypted (beyond the illegibility of most doctor's handwriting) and as a society, we were ok with that security level.