It is really very important in the regulated environment to protect data, in your case probably patient's privacy. What makes a difference is whether the web server is outside of the company network (in DMZ) or it is on the network. For DMZ web servers I would not send unencrypted passwords etc. and would set up SSL. For the web server on the internal network, I would care more about other requirements, like unique logins, backup encryption and general backup security, web application quality (if it does not allow SQL injections) etc.