From AI-driven diagnostics to wearable smart devices and telehealth breakthroughs, rapid digital transformation drives modern healthcare service delivery.
From what was once a tech-resistant industry — and one where many legacy systems still play critical roles in operations — healthcare tech adoption has radically evolved since pre-COVID.
With all these breakthroughs and benefits, many covered entities and business associates struggle to keep pace with the increased risk these innovations introduce into the modern healthcare ecosystem. The more technologies, web apps, smart devices, and cloud services your organization adopts, the greater chance of a cyber breach.
And, as concerning as this already is, as reflected in the millions of patient health record exposures each year, it’s merely the tip of an iceberg.
As the industry races toward “Quantum Day” or “Q-Day,” healthcare organizations may soon face the serious risk implications of quantum computing.
While it will further advance and revolutionize care delivery, it also gives threat actors unprecedented access to advanced tools that could, experts predict, break even the most stringent encryption methods, like RSA 2048, in less than 24 hours.
This widely used encryption standard is a well-tested defense barrier to protect electronic patient health information (ePHI) from today’s most complex tactics, techniques, and procedures (TTPs).
Yet, when Q-Day arrives, these complex attack methods will pale compared to the unprecedented security challenges waiting at the industry’s doorstep.
What is Q-Day in Healthcare?
What is Q Day? Quantum Day is a hypothetical future date when quantum computers will be powerful enough to empower threat actors to break through current cryptographic algorithms in 24 hours or less.
Evolving Quantum Computing Threats
Ultimately, preparing for Q-Day is a race against the clock — one where training and preparation must happen while security and compliance teams are exhausted trying to keep pace with the evolving threats healthcare’s expanding attack surface creates.
Right out of the gate, these teams and their security leaders must understand quantum threats looming around the corner.
Two quantum approaches pose among the greatest risks — Shor’s Algorithm and Grover’s Algorithm.
Shor’s Algorithm
Shor’s Algorithm enables quantum computers to efficiently factor large integers like breaking RSA encryption.
Grover’s Algorithm
Grover’s Algorithm doesn’t break symmetric encryption outright. It reduces data security levels, which require larger key sizes for data protection.
So, what’s the potential likelihood and impact?
If and when quantum computers reach that scale, it could make all the encryption standards the industry uses obsolete.
Why is this a problem?
Without resolution, all sensitive data will likely be at risk. If history repeats itself, the healthcare sector will have a tough time and struggle with necessary—and mandatory—transformations, especially if a high percentage of organizations continue to use legacy equipment.
Today’s data protection standards won’t be mature enough to tackle these new risks either.
Harvest Now Decrypt Later (HDNL)?
To compound these challenges further, attackers are already considering quantum potential. That means the data they exfiltrate in attacks today has the potential for exploitation and decryption later.
According to a brief CISA released as early as 2022, National Critical Functions (NCFs), like healthcare, “that depend on data confidentiality over long time frames are uniquely vulnerable to quantum challenges.”
This includes catch-and-exploit campaigns, in which adversaries capture encrypted data using current encryption algorithms. They then hold onto that data to decrypt it when a quantum computer can break that encryption.
When you consider current breaches, such as the Connecticut Community Health Center breach reported earlier this year, where a single breach potentially exposed 1 million records, attackers can already exfiltrate vast amounts of data in just hours. Quantum computing will rapidly escalate these capabilities.
Already this year, the Office for Civil Rights (OCR) has launched investigations into almost 100 breaches. On top of that, ransomware attacks on healthcare grew in the last 30 days. There were at least 35 alleged attacks on healthcare between January 1 and mid-February, with a larger number of threat actors targeting the sector.
There has also been a wave of ransomware attacks on radiology businesses, sometimes causing practice closures.
Is the Perfect Storm Brewing?
Bad actors target healthcare because they know the sector has long-term, high-value data. Many organizations also lag in data governance and data protection.
Part of the struggle is that many healthcare organizations lack clear insight into all their assets and risks. They don’t clearly understand where all their data is, what that data is, or how the organization and its vendors use it. Sometimes, the sensitivity of that data isn’t even clear. For example, is it classified? Is it encrypted at transit and rest?
On top of that, the healthcare threat landscape constantly evolves. And through that, there are some emerging trends:
- Increase in volume and complexities of supply chain and cloud attacks
- Faster speed of intrusions
- AI-assisted attacks
As previously mentioned, the sector is also plagued with legacy systems teams can’t easily upgrade or support with timely changes like encryption, operating system updates, patches, etc.
Resolving these issues is critical in meeting quantum computing risks that are ahead. All of these drive home the most critical point. Healthcare must stop threat actors from taking data today.
Preparing Critical Infrastructure for Post-Quantum Cryptography
So, what can you do now? Here are some best practices to shift your security and compliance practices in the right direction:
- Stay informed on post-quantum cryptography.
- Start planning now to protect your data today.
- Implement effective data protection controls like governance, encryption, loss prevention, and data segmentation.
- Review:
- Educate your board, senior leaders, and stakeholders on what’s ahead and how much more challenging and far-reaching Q-Day may be.
- Develop three- to five-year strategic plans to address post-quantum cryptography with the understanding that current encryption methods may become obsolete.
- Prepare mitigation plans.
- Upgrade your current environment where you can. This won’t be something you can address overnight. Start now to stay ahead of pressing quantum risks.
- Take a deeper dive into encryption protocols. Talk with vendors that specialize in encryption. Assess your current and future state.
Understand that although there is a theoretical “Q” date, no one can predict exactly when it may happen. But, as soon as quantum computers have these capabilities, it will be a significant issue for everyone.
If you don’t already have trusted data protection practices, now is the time to look at them and make them an organizational-wide priority. The longer you delay, the greater the gap widens. It will only get harder to get ahead of attackers — and they’re hoping you don’t.
Ultimately, if you can successfully prevent threat actors from extorting data today, you’ll be better prepared to prevent them from extorting you with that data in the future.
Act Now to Secure Your Quantum Future
Contact Clearwater today for expert guidance and proactive solutions tailored to safeguard your organization from the quantum threat and beyond.–https://clearwatersecurity.com/contact/
