My company software is used in the medical field. Our clients used it in the cloud (saas). They are mostly healthcare facilities and their patient's data is stored in our software/application. To comply with the GDPR, our company has just to ensure the security of the information system, correct? So data encryption, data access policies, etc ...?
In terms of security measures you should apply all necessary security measures to protect the personal data considering the fact that you are processing health related data which is considered special category of data, and a good starting point is the use of ISO27001 as best practice. Our EU GDPR Toolkit has a folder containing a collection of security policies that would come in handy as well.
Don`t forget about setting up a data breach management process because you would need to notify the controllers in case of a data breach.