Because of the increasing role of information technology in health care more attention is needed for security. Legal, technical/organisational and social measures are needed. Based on general principles a high level security policy needs to be formulated for each institution. Based on such policy measures can be selected and implemented. The need for a high level policy is emphasized; as an example the high level policy developed within the AIM SEISMED project is briefly described.