Here's some of my thoughts:
Make sure the server is physically secure.
Spend plenty of time working on restricting access to the database to only allowed programs or hosts.
Spend more time working on the granular authentication scheme you'll use to restrict user access to the data.
Consider who has access to any database backups.
How is data that's presented to users secured after it's viewed? Think about what and where any data gets cached.
I'm sure there's lots more.