Personally, I haven’t had any experience with CIA issues. However, I used many health information systems in hospitals that do not implement a secured connection (SSL). Also, preserving the data confidentiality the system availability was a challenge even in big institutions. A few systems failed to maintain proper confidentiality by using a weak password policy and 2FA was optional to make it easier for system users.
I think organizations should hire information security professionals to review their outdated systems and assess potential risks to anticipate malware attacks and train employees to maintain CIA Triad in the organization.