So, what is my strategy? Tell program staffers that they can't create Access databases? Not going there.

I have requested a list of all Access databases agencywide. I want to know who the owner of each database is, who the users are, what the purpose of each database is and whether it contains electronic protected health information. Once we know where all these little databases are, we are going to institute user-level security for all of them and apply network-and file-level permissions based on the sensitivity of each database. I also want to require that anyone extracting data from the primary information system into a local file system or database must get sign-off from IT security and his department head.

At the same time, we'll have to re-educate staffers so they understand why we are doing this. We have trained our employees on HIPAA privacy, but they don't really understand the security aspects. As I said, convenience trumps security needs in their eyes, and they are used to having information available to them on the network and having the ability to copy, change, move and e-mail it -- all the things that keep a security manager awake at night.

I can't think of any other way of doing this. I'd certainly like to hear your ideas.

What do you think?