How quantum-resistant encryption relates to HIPAA and cybersecurity policies

Quantum-resistant encryption, also known as post-quantum cryptography (PQC), refers to encryption methods designed to remain secure even against attacks by quantum computers. Quantum computers, which use the principles of quantum physics to process information in new ways, are expected to be capable of breaking most of today's standard encryption methods within the next one to two decades. In August 2024, the National Institute of Standards and Technology (NIST) finalized three post-quantum cryptography standards, namely FIPS 203, FIPS 204, and FIPS 205. These standards now represent the federal benchmark for encryption going forward.

Peer-reviewed research published in Post-quantum healthcare: A roadmap for cybersecurity resilience in medical data reinforces this urgency, noting that quantum computing's computational capabilities pose a direct threat to classical cryptographic techniques that have long been considered secure. The paper identifies four leading categories of quantum-resistant encryption now under active development and standardization, which include lattice-based cryptography, code-based cryptography, hash-based cryptography, and multivariate polynomial cryptography each designed to resist attacks from both classical and quantum computers.

Learn more: What is quantum-resistant encryption?

What does HIPAA say about encryption?

HIPAA sets the foundational rules for protecting health information in the United States. The law's Security Rule, codified at 45 C.F.R. Part 164, Subpart C, applies to electronic protected health information (ePHI), that is, any individually identifiable health information that is created, received, maintained, or transmitted electronically.

Under 45 C.F.R. § 164.312(a)(2)(iv) and § 164.312(e)(2)(ii), encryption is listed as an "addressable" implementation specification for both access controls and transmission security. HIPAA's Security Rule does not specify which type of encryption to use. Instead, 45 C.F.R. § 164.312(e)(1) requires that covered entities implement "a mechanism to encrypt and decrypt electronic protected health information" where deemed appropriate, and that they "implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network".

The risk analysis requirement

Under 45 C.F.R. § 164.308(a)(1)(ii)(A), covered entities must "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

The quantum threat is now a recognized risk in federal cybersecurity guidance. A risk analysis conducted today that does not account for the long-term quantum threat, especially for organizations that store sensitive data. The peer reviewed research notes that health records, insurance details, and treatment histories represent high-value targets in the quantum era, and that the potential for adversaries to intercept and store encrypted healthcare data today and decrypting it once quantum computing matures, makes long-lived patient data vulnerable. This "harvest now, decrypt later" risk is the kind of forward-looking threat that HIPAA's ongoing risk analysis obligation is designed to capture.

In its 2024 update to the HIPAA Security Rule, HHS signaled greater specificity in what it expects from covered entities regarding encryption and technical safeguards. While the proposed rule does not yet mandate quantum-resistant encryption by name, the direction is that stronger, more specific technical requirements are coming.

The NIST framework and its role in healthcare

Many healthcare organizations already use the NIST Cybersecurity Framework (CSF), a voluntary framework first published in 2014 and updated to version 2.0 in February 2024, as a guide for building and evaluating their security programs. The CSF organizes cybersecurity activities into six functions;

• Govern,
• Identify,
• Protect,
• Detect,
• Respond,
• and Recover.

NIST CSF 2.0 explicitly acknowledges the need to account for emerging threats in the "Protect" function, and NIST guidance documents including NIST Special Publication 1800-38 (Migration to Post-Quantum Cryptography) provide step-by-step recommendations for transitioning to quantum-resistant encryption. While the CSF is not legally binding for most private-sector healthcare organizations, it is widely used as evidence of due diligence and is referenced in OCR guidance.

For healthcare organizations subject to the Centers for Medicare & Medicaid Services (CMS) Conditions of Participation, or those contracting with federal agencies, NIST standards carry additional weight. Federal agencies are required under the Federal Information Security Modernization Act of 2014 to comply with NIST standards. Contractors and business associates working with federal programs may be expected to meet the same standards.

The National Cybersecurity Strategy and the post-quantum imperative

The White House's National Cybersecurity Strategy made the urgency of post-quantum migration explicit. The Strategy identified the threat directly, stating, "Strong encryption is foundational to cybersecurity and global commerce. It is the primary way we protect our data online, validate end users, authenticate signatures, and certify the accuracy of information. But quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today. We must prioritize and accelerate investments in widespread replacement of hardware, software, and services that can be easily compromised by quantum computers so that information is protected against future attacks."

Furthermore, the Strategy was clear that this obligation extends beyond the federal government itself. It directed that, "The Federal Government will prioritize the transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments and develop complementary mitigation strategies to provide cryptographic agility in the face of unknown future risks. The private sector should follow the government's model in preparing its own networks and systems for our post-quantum future."

The federal government has called on the private sector, which includes hospitals, health systems, insurers, and their vendors to begin preparing for the post-quantum transition now. The Strategy also reinforced the long-term investment framing that should inform healthcare planning, "We must defend the systems we have now, while investing in and building toward a future digital ecosystem that is more inherently defensible and resilient."

The Cybersecurity Act and executive branch guidance

In May 2021, President Biden issued Executive Order 14028, "Improving the Nation's Cybersecurity", which directed federal agencies to adopt stronger cybersecurity practices and to migrate toward zero-trust architectures and modern encryption standards. The order noted the urgency of the challenge, stating directly that "incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life." On encryption specifically, Executive Order 14028 mandated that "agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws." The order also recognized that cybersecurity cannot be a government-only effort, affirming that "protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector" and that "the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely."

Although Executive Order 14028 applies directly to federal agencies, it shows the regulatory direction the entire healthcare system is expected to move toward. The order further directed the Federal Government to "adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services...and invest in both technology and personnel to match these modernization goals".

Business associate agreements and the supply chain

45 C.F.R. § 164.308(b)(1) requires covered entities to enter into business associate agreements (BAAs) with vendors and partners who handle ePHI on their behalf. Under these agreements, business associates are required to implement the same safeguards as covered entities.

This shows that even if your internal systems are secure, your vendors' encryption practices matter too. The peer reviewed research notes this point, observing that healthcare systems are interconnected and that each connection point represents a potential vulnerability if quantum-resistant protections are not uniformly applied across the supply chain. As quantum-resistant encryption becomes standard, covered entities should begin asking vendors about their post-quantum migration plans. This due diligence aligns with 45 C.F.R. § 164.308(b)(1) requirement to ensure that business associates provide "satisfactory assurances" that they will safeguard ePHI.

What does this mean in practice?

Healthcare organizations do not need to replace all encryption systems today, but they can start taking certain steps, such as;

• Updating risk analysis to include an assessment of the quantum threat, especially for data with long-term sensitivity.
• Conducting a cryptographic inventory, this means, identifying every system that uses encryption and document the type of encryption in use. This is specifically recommended in NIST SP 1800-38, and the peer reviewed research echo this as a foundational step, recommending that healthcare organizations assess compatibility between post-quantum algorithms and their existing infrastructures before beginning any migration.
• Engaging vendors. Asking whether they are tracking NIST's post-quantum standards and what their migration timelines look like.
• Building quantum-resistant encryption into new systems and major upgrades now. The peer reviewed research supports a phased approach, prioritizing systems that handle the most sensitive and longest-lived data first, then working outward across the broader technology stack.
• Investing in staff training and awareness. The research identifies workforce education as one of the most commonly overlooked elements of post-quantum readiness, noting that healthcare professionals at all levels need baseline familiarity with why these changes are necessary and how they affect day-to-day operations.
• Monitor regulatory updates from HHS, OCR, and NIST.

FAQs

Does this apply to small practices too?

Yes, quantum threats target encryption methods universally, regardless of the size of the organization using them.

Are patients at risk beyond privacy violations?

Yes, compromised or manipulated health records carry direct patient safety implications, including the risk of misdiagnosis or incorrect treatment.

What about connected medical devices?

Devices that transmit data wirelessly rely on the same encryption standards under threat, making them a part of any quantum-readiness assessment.