Is there any actual security benefit to restricting foreign IP addresses?
The concept is "reducing the threat surface". If there is an expectation that no connections will be made from a certain geographic area, then it makes sense to block that area, because, by definition, it is not legitimate. In theory. (For a health provider, it's a weird choice since customers might want to manage their health while traveling, but this is a side issue.)
For one company I worked for, there was a list of countries that listed the Top 12 worst offenders for cybercrime, and we did not have any customers in those countries. So, it made sense to block them.
- Could attackers use proxies/VPNs to attack from an allowed IP? You bet.
- Did they? Who knows.
- Did we experience high volumes of attacks from those 12 counties anyway? Oh yes.
We saw an immediate 80% drop in traffic to our webservers when we started the geo-IP ban.
One thing to consider: there are many countries in which the state, or maybe shady Internet providers, snoop on Internet traffic.
Even if your health care provider's website uses TLS (which I assume), PCs in those countries might have a fake root certificate installed to intercept your traffic. So when Joe average becomes sick and goes to an Internet cafe to check his coverage on the health provider's website, no one can be sure that their data - and login credentials - are safe.
Blocking foreign IP addresses and requiring a VPN mitigates at least some of this - you can't install the VPN client on some public computer, so you need to use your own laptop; this helps against keyloggers as well, and MITM attacks against a VPN are way harder than MITM against HTTPS, because the VPN client knows which certificates to expect, so you can't just use a fake CA.
The security benefit is likely small, but real.
My workplace deals with scans from foreign soil all the time. Mostly these come from a few notorious places like Palestine, or Russia where political and legal issues exist between the US and these countries that make them more attractive attack hosts. They also come from more friendly countries like France or The Netherlands. They're far less likely to come from inside my own country. I hazard a guess that this might be because it's easier to obtain search warrants or tap/trace devices for a source and a target within the same country. Where these people exist in meat-space is anyone's guess.
These are all largely automated processes targeting large swaths of the Internet. They're unsophisticated enough that the attacker isn't likely trying to target us per se, but it is just trying to find "someone" to go after.
It's certainly true that these attackers can use other means to use an IP address inside my country. I've seen them do this through various other means when they're blocked by us. But this takes extra effort for the attacker, which may be better spent elsewhere and may not be worth the trouble for the attacker to go after a more hardened target.
As the saying goes, you don't have to be the fastest animal running away from the predator; you just can't be the slowest.