Security of information in the health care environment depends not so much on technical controls as on compliance with policy by all those who use the information. Awareness of policy and observance of a code of conduct, whilst important, do not itself ensure that staff respect confidentiality, let alone follow other measures to secure records. A culture of security must be developed throughout the health care community. This demands clear policy with practical procedures that are relevant in the workplace, a long-term programme in which changes can be introduced in a managed way that is sensitive to the tensions between security and other working practises, commitment from senior management to achieve change, and strong leadership from within the health care professions. The UK National Health Service has begun such a process with the endorsement of the 'Caldicott Committee Report on the review of patient-identifiable information' and its recommendation that all health organisations appoint a senior health care professional to be responsible for confidentiality of patient information. Raising the political profile of patient confidentiality has served to change the rate of change up a gear. The response of one health care community to this initiative will be discussed and lessons drawn regarding cultural change and information security.