I have the exact same problem with what Mr.Kawin said! It’s about the default password and “test” password which I believe was once created to simplify internal testing yet those accounts still are active in real world use. Nonetheless, I have never really had any direct experience about CIA in my organisation. Well, there might be some “downtime” in the HIS server due to power shortage, malware attacks but other things seem to be performing well to me. All hospital data is stored within internal network and is not intended to be shared whatsoever, but since it is an old-fashioned database design which was used over decades ago, I strongly doubt that it will provide such an encryption or data privacy policy, to be honest.
In order to achieve data confidentiality, integrity and availability standard, I personally would suggest to upgrade an infrastructure and database design, but I don’t think it is something that can be done over night because it will require a lot of manpower, time and resources.