The design and implementation of a security policy for a healthcare organisation is by no means trivial but it is, at least, feasible, taking into account the wide range of information security and privacy enhancing technologies that are currently available. Considering, however, a shared care environment with the participation of many independent healthcare organisations and the requirement for exchanging electronic healthcare records, the situation becomes much more complex since the implementation of global security policy may turn out to be an over ambitious task. This paper aims to highlight the main sources of complexity and to provide pointers for managing or/and resolving them.