Healthcare Quantum Risk

HIPAA does not explicitly mention quantum-resistant encryption. However, HIPAA requires a documented risk analysis that identifies threats and vulnerabilities to ePHI. Given public acknowledgment of quantum threats by NIST, NSA, and CISA, a risk analysis that ignores quantum computing could be cited as inadequate. HHS proposed mandatory encryption requirements in early 2026. PTG recommends updating your risk analysis to address quantum threats now, before HHS formalizes the requirement.

PHI confidentiality extends for the patient's lifetime. For a child born today, that could be 80+ years. Some categories of PHI have even longer requirements: genetic data is relevant to descendants indefinitely; psychotherapy notes carry sensitivity that does not diminish with time. HIPAA retention rules require covered entities to maintain certain records for 6 years, but the confidentiality obligation persists far beyond retention periods. This is why healthcare faces the longest quantum exposure window of any industry.

Yes. Healthcare data is a prime target for harvest now, decrypt later campaigns because of its long confidentiality shelf life and high value. Nation-state adversaries intercept encrypted healthcare data transmitted over the internet (EHR queries, FHIR API calls, telehealth sessions, medical imaging transfers) and store it for future quantum decryption. The NSA has publicly acknowledged HNDL as an active threat. Healthcare organizations cannot prevent all interception, but they can minimize HNDL value by migrating to PQC encryption for data in transit.

Many connected medical devices (infusion pumps, patient monitors, legacy imaging equipment) have embedded cryptographic implementations that cannot be firmware-updated. For these devices, the migration strategy involves compensating controls: network segmentation to isolate quantum-vulnerable devices, PQC-encrypted gateway proxies that re-encrypt traffic before it leaves the network, and managed replacement timelines aligned to device lifecycle and FDA requirements. PTG's assessment identifies these devices and recommends specific compensating controls for each category.

Telehealth significantly increases quantum exposure. In-person care generates PHI that is stored locally and transmitted over internal networks. Telehealth transmits PHI over the public internet, where it is exposed to HNDL interception at every network hop. Video conferencing platforms, remote patient monitoring devices, and patient portal communications all use TLS with quantum-vulnerable key exchanges. As telehealth adoption continues to grow post-pandemic, the quantum attack surface for healthcare organizations expands proportionally.

Yes. HIPAA's Business Associate Rule requires BAs to implement safeguards for PHI equivalent to those of the covered entity. As covered entities update their risk analyses to address quantum threats, Business Associates will face the same expectations. PTG recommends adding PQC migration requirements to Business Associate Agreements (BAAs) now, including specific timelines and reporting obligations. Our assessment includes a BAA addendum template for this purpose.

HHS proposed mandatory encryption for ePHI in early 2026, removing the "addressable" flexibility in the current Security Rule. If finalized, this rule would require all covered entities and Business Associates to encrypt ePHI at rest and in transit with NIST-approved algorithms. As NIST transitions its approved algorithm list to include PQC and deprecate quantum-vulnerable algorithms, mandatory encryption under the updated rule would effectively require PQC. Organizations that begin quantum migration now will be ahead of this regulatory curve.

Pricing depends on the size of your organization, the complexity of your healthcare IT environment (number of EHR systems, connected devices, interoperability connections), and the depth of HIPAA compliance documentation required. PTG's initial consultation is free, and we provide a detailed proposal after the scoping call. The assessment can be delivered as a standalone engagement or integrated with a broader quantum readiness assessment and PQC migration plan.

Yes. HNDL attackers do not discriminate by practice size. Small practices often use the same EHR platforms, health information exchanges, and cloud services as large hospital systems. PHI from a small practice is equally valuable and equally sensitive. Small practices also face proportionally higher regulatory risk: a HIPAA breach involving quantum-decrypted PHI would be devastating regardless of organization size. PTG's assessment scales to practices of all sizes, and the initial consultation is free.

PTG's assessment produces deliverables that integrate directly into your existing HIPAA compliance program. The updated risk analysis feeds into your annual review cycle. Risk register entries follow your existing scoring methodology. Remediation roadmap items are formatted as HIPAA action items with responsible parties, deadlines, and evidence requirements. If you have an upcoming OCR audit or third-party HIPAA assessment, the quantum risk documentation strengthens your overall compliance posture by demonstrating proactive risk management.