How to convince your boss about importance of IT security
There's several issues here.
Your immediate concern seems to be that you have not managed to convince one individual of the need for better security. Fixing that will solve the problem - but it may be a big mountain to climb. Greg Dolph's answer already covers this.
The problem here is that your employer is producing a product which is not fit for purpose, and may result in serious damage to your employer, to the users of the product, and to other parties. Unless the organisation which employs you is your boss (and does not have other stake holders / share holders), then you should at least be making other key decisions makers aware that you have concerns which your boss thinks are unfounded.
It's commendable that you are concerned with the security of the systems you are working on, and you have taken the first step to resolving the problem. But if this does become more widely known, then it's likely that those responsible for decision making (or possibly even those responsible for enforcing law/policy) will want to be seen to be taking action - i.e. you need to cover your rear. Try to make sure you've got any verbal discussions noted, preferably minuted. Get copies of all emails somewhere you can access them.
Don't threaten. Don't cajole. Keep calm. Be persistent. Keep records.
The best way to go is to point your boss to the laws, industry regulations, and real world cases where companies have lost their shirts and executives walked out the door or sent to prison for breaking them. Nothing motivates execs like personal risk. Make it apply to them, not just to the company. You can talk about best practices and industry standards, or even how audits require these things, but they may not care unless you show that by not caring things could get real ugly for them.
My recommendation is to show your boss what implications this may have for his business. Especially emphasize the fact that if you got attacked and information gets disclosed (you can provide him with examples of other companies that got hacked like Linkedin or Yahoo) the reputation of his company is at stake.
Especially when dealing with sensitive medical data. Also do remind him he (yes he personally) can be held liable for a breach if he was informed that he did not do enough to protect the system. (You could also say because he was informed before hand that there was a breach, but that might be considered too much of a threat).
Like symcbean says, do not threaten and keep records.