The first step for data security actually hasn't been taken by folks that have written most of the medical or even financial software that I've seen.  They use clear text SSNs and other PII.  I've even consulted for a company that uses SSNs as clear text PKs across multiple databases on multiple systems.
People don't get it until it's their data that has been stolen or spilled.  For me, that's the litmus test.  How comfortable would I be in having my SSN and PII on a system?  The answer is serious negative comfort.  I've made that challenge to a couple of supposed "compliance officers" in various companies and, to date, none of them have agreed to add their SSN or even their birthdate to their own systems.  These people should be unceremoniously fired and maybe their names should be made available on a public list kind of like sex offenders are.  Maybe then, they'd start to take a bit more care with our data.