Applying Post-Quantum Cryptography (PQC) in the Healthcare Sector

The digital transformation of healthcare has been rapidly accelerated by the expansion of the Internet of Medical Things (IoMT). This network of interconnected medical devices and sensors enables the continuous collection, transmission, and analysis of clinical data via wireless communication, facilitating remote patient monitoring and real-time clinical decision support.

However, this increasing interconnectivity generates massive volumes of sensitive data, such as Electronic Health Records (EHRs), making data protection a central challenge. Currently, the confidentiality and integrity of this data rely heavily on classical cryptographic schemes, such as RSA (Rivest–Shamir–Adleman) and ECC (Elliptic Curve Cryptography).

With the advent of Quantum Computing and its potential to solve mathematical problems considered intractable for conventional computers, these classical methods face the imminent risk of obsolescence. In this context, Post-Quantum Cryptography (PQC) emerges as a strategic response to ensure the continued protection of medical information in a quantum-capable landscape.

This article analyzes the impact of the quantum threat on healthcare data security and explores how PQC can be applied to ensure cyber resilience within the IoMT ecosystem.

Quantum Vulnerabilities in Healthcare Data Security

Digital security in the healthcare sector faces a growing challenge as quantum processing power threatens to break current cryptographic systems.

Vulnerable medical data includes, but is not limited to, EHRs, lab results, and IoMT device telemetry. The protection of this information relies on classical algorithms that will become susceptible to quantum factoring and search algorithms. Two, in particular, represent significant threats: Shor’s Algorithm and Grover’s Algorithm.

Shor’s Algorithm and Asymmetric Cryptography

Developed in 1994, Shor’s Algorithm can factor large integers and calculate discrete logarithms in polynomial time—a feat impossible for classical computers. This capability undermines the security of asymmetric encryption schemes like RSA and ECC, which are widely used for secure communications, digital signatures, and medical device authentication.

While a "Cryptographically Relevant Quantum Computer" (CRQC) powerful enough to execute Shor’s Algorithm against currently used RSA-2048 keys is not yet commercially available, the threat is real. A task that would take a conventional supercomputer millions of years could theoretically be completed in a few hours by a quantum computer.

Grover’s Algorithm and Symmetric/Hash Cryptography

Grover’s Algorithm provides a quadratic speedup for unstructured searches, affecting both symmetric encryption and hash functions.

• Symmetric Encryption (AES): Grover reduces the complexity of brute-force attacks. For AES-256, effective security is halved from 256-bit to 128-bit. While AES remains resilient at higher key levels, maintaining the same level of protection in a quantum era will require doubling key sizes.
• Hash Functions (SHA-256): Grover also compromises collision and pre-image resistance, properties essential for ensuring the integrity and authenticity of medical data and transactions.

Implications for the IoMT Ecosystem

Devices such as insulin pumps, portable heart monitors, and continuous glucose monitors (CGMs) utilize traditional cryptographic algorithms but operate with limited computational and power resources. This makes the adoption of more robust security mechanisms a technical challenge.

A successful quantum attack could allow for the interception, alteration, or falsification of real-time data, leading to incorrect diagnoses, improper medication administration, or fatal failures in automated treatments. Furthermore, there is the "Harvest Now, Decrypt Later" threat, where attackers steal and store encrypted data today to decrypt it in the future once quantum computers are fully operational.

Post-Quantum Cryptography (PQC)

PQC represents a new generation of cryptographic algorithms designed to be secure against quantum attacks while remaining compatible with classical hardware.

Unlike Quantum Key Distribution (QKD), which requires specialized hardware like qubits, PQC ensures continuity with existing digital infrastructures. PQC is built on mathematical problems considered intractable even for quantum computers, such as:

• Learning With Errors (LWE)
• Shortest Integer Solution (SIS)
• Multivariate Quadratic Problem (MQ)

These problems possess a complexity structure that prevents efficient solutions through quantum parallelism, preserving security even in high-performance computing scenarios.

Key Applications of PQC in Healthcare

PQC is essential for protecting the pillars of digital health infrastructure, from EHRs to IoMT devices and the communication platforms that support the modern hospital ecosystem.

1. Protecting Electronic Health Records (EHRs)

EHRs contain highly sensitive personal data and clinical histories. This data exists both at rest (stored on servers/cloud) and in transit (during exchange between providers). PQC mechanisms are required for:

• Secure Key Exchange: Utilizing PQC-based protocols like CRYSTALS-Kyber.
• Digital Signatures and Data Integrity: Ensuring authenticity through quantum-resistant signatures like CRYSTALS-Dilithium and SPHINCS+.
  • Dilithium offers an excellent balance of security, speed, and signature size, making it ideal for hospital systems requiring strong authentication.
  • SPHINCS+ provides additional robustness for scenarios requiring independent verification.
• Long-term Archiving: For records that must be preserved for decades (e.g., radiological images), Classic McEliece is highly recommended. Despite its large public keys, it has a proven 40-year track record of cryptographic resilience.

2. Security for Resource-Constrained IoMT Devices

IoMT devices operate under strict memory and power constraints. CRYSTALS-Kyber (specifically Kyber512 and Kyber768) has shown high efficiency in compact code with low RAM usage, making it viable for ARM Cortex-M4/M0 microcontrollers.

To overcome hardware limitations, optimization strategies include:

• Using FPGA or ASIC acceleration.
• Implementing collaborative key generation architectures.
• Utilizing lightweight lattice-based algorithms.

Cyber Resilience as a Result of PQC

The strategic adoption of PQC in healthcare is more than just a tech upgrade; it is the foundation of long-term cyber resilience. This resilience ensures that the healthcare ecosystem can maintain security, integrity, and availability even in the face of technological disruption. By implementing Kyber, Dilithium, and SPHINCS+, organizations can prevent data tampering and forgery, maintaining the absolute confidentiality of patient records.

Preparing for the Future: A Call to Action

The transition to PQC is a strategic imperative. As quantum processing nears practical breakthrough levels, continued reliance on RSA and ECC poses a tangible threat to patient privacy.

How to prepare:

1. Inventory Cryptographic Assets: Identify where vulnerable algorithms (RSA/ECC) are currently used.
2. Adopt Hybrid Models: Implement solutions that combine classical and PQC algorithms to ensure security during the transition.
3. Align with International Standards: Follow NIST (National Institute of Standards and Technology) guidelines for PQC standards.
4. Execute a Structured Roadmap: Prioritize long-lived data (the "Harvest Now" risk) and critical IoMT infrastructure.

Proactive action today will define the security and trust of the healthcare systems of tomorrow.