Protecting Patient Data: Why Quantum Security is a Must in Health Care
When you visit the doctor or have a hospital stay, you and your patient data become elements in a vast, highly complex digital technology ecosystem. This is because you (as the patient) generate enormous volumes of data which is stored and analyzed across interconnected systems. The goal of all of this is improved health care outcomes, but the current health care digital landscape also represents a critical cyberattack surface. This is particularly true of medical devices and the internet-of-medical-things (IoMT). Security is a serious matter in health care, and most organizations involved in health care technology are busy implementing countermeasures against prevailing cyberthreats. More work is needed, especially considering the looming quantum computing threat to data encryption. This article examines the quantum threat to health care data and technology and offers some ideas on how this serious risk can be mitigated.
Understanding Health Care as a Technology Ecosystem
Healthcare is a field that runs on digital technology. Healthcare organizations deploy millions of connected medical devices that store personal patient data and real-time biometric data. These devices allow doctors and patients to communicate faster, more efficiently and, in some cases, more inexpensively than is possible with past communication methods. For instance, a direct digital heartbeat transmission is far faster and cheaper than a fax machine. In addition, back-end systems handle medical records storage, billing and operations.
A Brief Overview of the Quantum Threat to the Health Care Industry
Every medical device, computer server, network and storage array is vulnerable to cyberattack. Today, this means anything from ransomware to zero-day attacks–any threat vector that enables a malicious actor to interfere with health care processes or steal data. In the near future, this digital healthcare landscape will also be vulnerable to attacks from quantum computers.
Briefly, a quantum computer is a new generation of computing technology that utilizes sub-atomic particles and the principles of quantum mechanics to deliver exponentially faster computation capabilities than existing computers. There are many exciting potential uses for quantum computing, including in health care, such as protein folding. However, the technology is also expected to break today’s “unbreakable” cryptographic keys that secure data and critical systems.
Security experts are worried, with good reason, that within a few years, today’s current forms of cryptography will be rendered useless by the quantum threat. At that point, virtually all data and systems will be exposed to threats, including those systems that manage health care information. This would be catastrophic on multiple levels. The quantum crisis threatens patient health, the large and lucrative health care industry, society and even the United States’ national security.
Threats to Patient Health
If all cryptography protecting the security and privacy of medical technology becomes inoperable, then patient health is at risk. Attackers could disrupt hospital networks and delay patient care. They could cause pacemakers, defibrillators, insulin pumps and other critical health devices to stop working. This could cause people to get sick or even die. Indeed, this type of thing has already happened. For example, in 2019 a ransomware attack on a hospital resulted in the death of a newborn.
Threats to a Vast, Critical and Lucrative Business
Health care is a multi-trillion-dollar industry. The quantum threat puts this enormous slice of the economy at risk. Even just one sector, the IoMT market, is rapidly accelerating, expected to go from a $14 billion valuation in 2017 to $158 billion this year.
Medical information is also valuable. Research suggests that it can be valued up to 50 times more than a stolen credit card on the black market. This is an attractive target for hackers.
Regarding legal liability and ethics, unsecured devices or device exploit comprise a violation of trust to patients. Device manufacturers have a fiduciary responsibility to protect patient data. Adding in regulatory penalties, such as HIPAA violations, the quantum threat’s potential costs appear to be astronomical.
Societal Risks
Risks to individual patients are bad enough, but overall health care cyber risk exposure threatens the broader society. If health care systems, especially emergency services, are unavailable during a crisis, the public could be in danger. This is not as far-fetched a scenario as people might imagine. After all, ransomware attackers have targeted municipal government and law enforcement in tandem with hospitals. A quantum attack that devastates all such systems could destabilize the public order.
Geopolitical Risks
Health care information also figures into geopolitics and the world of intelligence. This may seem a bit cloak-and-dagger, but the reality is that adversarial nation-state intelligence services are stealing hundreds of millions of American health records. The 2015 Anthem breach is cited as an example. It’s unclear exactly why they are doing this, but possible explanations include a desire to create a “social map” of the United States to identify spies. There is also a theory that the Chinese artificial intelligence (AI) industry is hacking American medical data to develop training data sets for medical AI software, which is considered a strategically important industry. The fascinating Wall Street Journal article “What Does Beijing Want With Your Medical Records?” explores this issue.
Regulatory Landscape
The government is taking a strong interest in cybersecurity for health care. U.S. federal agencies are expected to start mandating cybersecurity requirements through legislation such as the 2022 Protecting and Transforming Cyber Healthcare (“PATCH”) Act, which requires a software bill of materials (SBOM), as mandated by president Biden’s May 2022 executive order. These measures also expect medical devices to have greater cryptographic agility.
The pending Healthcare Cybersecurity Act of 2022 is a further call-to-action from the government. The bill wants to make cybersecurity a primary goal of health care organizations and equipment manufacturers. This includes the critical step of protecting legacy devices incapable of withstanding today’s cyberattacks. The bill is poised to impose financial constraints, with Medicare payment policies incorporating cyber expenses.
Quantum defense still needs to be added to the legislative agenda for health care, but it will almost certainly be included soon. The government is starting to mandate mitigations of the quantum threat in government systems. For example, the Cybersecurity and Infrastructure Security Agency (CISA) published guidance called “Preparing for Post-Quantum Cryptography” in 2022 in collaboration with NIST. Health care will likely follow.
Quantum Security Solutions for Health Care
It is important to start defending against the quantum threat now. Or, at a minimum, health care organizations can start preparing by assessing their cybersecurity to look for areas that will be vulnerable to a quantum attack. If health care companies want to follow the CISA/NIST guidance, they should start by inventorying their critical data and systems, including device operating systems. They ought to create an inventory of their cryptographic technologies and internal standards. This includes public key cryptography, which is most vulnerable to quantum attacks.
Health care organizations then need to move toward what is known as post-quantum cryptography, a new approach to cryptography that changes the way keys are generated, managed and used. Using advanced mathematical techniques, post-quantum cryptography methods can protect health care data from even quantum decryption processes.
