Getty Images/iStockphoto
Securing healthcare data in preparation for a post-quantum era
A post-quantum world may seem far off, but experts say that healthcare leaders should begin planning now to ensure that health data is protected.
Tech companies around the world are working on creating large-scale quantum computers, which will enable dramatically faster computation speeds. When they achieve this, many traditional encryption methods will become obsolete, creating security and operational challenges for organizations everywhere.
There is conflicting discourse about how soon quantum computing could become a reality -- some experts say five years, while some say 15 or more. Others say the quantum era has already begun, citing significant breakthroughs in recent years. Despite varying predictions on the timeline, experts agree that cryptography will be impacted whenever powerful quantum computers become widely available.
While the distant (or not so distant) future state of quantum computing may seem too far off to prioritize today, healthcare data security experts should be aware of quantum computing's impact on encryption and begin laying the groundwork for operational changes.
"For leaders in healthcare information technology, the landscape of immediate cyber risk is perpetually challenging. The daily effort to defend against ransomware, secure connected medical devices, and prevent data breaches consumes significant resources and attention," said Kurt Rohloff, chief technology officer and co-founder of Duality Technologies.
"In this context, addressing a threat that appears to be on the horizon, such as the advent of quantum computing, can seem like a secondary concern. However, a closer examination reveals that the quantum threat is not a distant problem but a present-day data security issue that requires strategic consideration alongside current operational risks."
Understanding quantum risk
According to Rohloff, when quantum computing becomes a reality, current public-key encryption standards will become obsolete, necessitating a shift in how patient data is kept safe.
"A sufficiently powerful quantum computer will be capable of breaking the mathematical foundations of widely used algorithms like RSA and ECC," he said. "These algorithms secure vast swaths of our digital infrastructure, from the TLS/SSL protocols protecting data in transit to the digital signatures verifying the integrity of health records."
The motivation to act now rather than later is that cyberthreat actors are already preparing for a post-quantum reality.
"Malicious actors, including sophisticated nation-states, are currently engaged in harvesting and exfiltrating large volumes of encrypted data," Rohloff said. "They do not possess the means to decrypt this information today. Instead, they are stockpiling it with the expectation that the arrival of fault-tolerant quantum computers will provide them the key to unlock it in the future."
This is particularly troublesome for healthcare, given that health data retains its sensitivity indefinitely. When credit card data is exposed, a consumer can often get new account numbers and move on, but the same is not true for health records.
"Data stolen today represents a latent vulnerability that could materialize into a major breach a decade from now, with profound implications for patient privacy, trust and safety," Rohloff noted.
Preparing for a post-quantum world
The fear that cyberthreat actors will be able to collect encrypted data now and hold onto it until quantum computers come around to break existing encryption methods has inspired action by standards organizations.
The National Institute of Standards and Technology (NIST) worked for eight years to create its first set of post-quantum cryptography standards, which it debuted in 2024.
The standards consist of three encryption algorithms designed to withstand cyberattacks from a quantum computer.
NIST recommended that organizations begin adopting these standards as soon as possible.
"Quantum computing technology could become a force for solving many of society's most intractable problems, and the new standards represent NIST's commitment to ensuring it will not simultaneously disrupt our security," Laurie E. Locascio, former NIST director and undersecretary of commerce for standards and technology, said in an August 2024 press release announcing the standards.
"These finalized standards are the capstone of NIST's efforts to safeguard our confidential electronic information."
In addition to planning for the migration to these new post-quantum cryptography standards, Rohloff recommended that security practitioners look into fully homomorphic encryption (FHE), which "allows for computations to be performed directly on encrypted data without ever needing to decrypt it."
"One can think of it as allowing a third party to analyze or process a sensitive dataset while it remains securely scrambled in a locked box," Rohloff explained. "The results of the computation are also encrypted and can only be accessed by the owner of the secret key."
FHE allows for better resistance to quantum computer-based attacks and further collaboration, since it enables organizations to securely outsource data to a third party.
In addition to FHE, Rohloff recommended that healthcare organizations conduct a cryptographic inventory, talk with vendors about their post-quantum cryptography plans and prioritize protecting data based on what has the longest shelf life and could be most susceptible to cyberthreat actors in upcoming years.
"Preparing for the quantum era is not a distraction from today's cybersecurity challenges but rather a crucial element of a comprehensive, long-term risk management strategy," Rohloff stated.
"By initiating a thoughtful transition toward PQC and exploring the capabilities of quantum-secure technologies like FHE, healthcare leaders can not only neutralize a future threat but also build a more secure and collaborative digital health ecosystem."
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
