This question is about best practices regarding firewalling personal identifiable information such as health records (please see attached image). This scenario assumes the use of Cisco ASA 5500 firewalls.

If the majority of cyber attacks happen from within an organization is it more important to give the "internal" interface a higher security level (higher level of trust) than the DMZ interface that connects to customer information or should the internal interface have a lower security level? I have included a visual depiction of this scenario in my attached document. I would like to know what others are doing to firewall critical information. Would an organization be remiss in not assigning the data servers the highest level of security while assuming that the internal network should be the most secure? Any insight into this question would be appreciated. Thanks!