POST-QUANTUM CRYPTOGRAPHY FOR HEALTHCARE: FUTURE-PROOFING POPULATION HEALTH DATABASES AGAINST QUANTUM COMPUTING THREATS

Abstract

In the face of quantum computing advancements, classical encryption methods used in protecting health data are expected to become insecure within the next 10-15 years. This paper is the first to provide a comprehensive, detailed framework for healthcare organizations, specifically targeting population health databases, to migrate their cryptographic systems to quantum-resistant algorithms without disrupting performance or violating compliance standards.

We provide implementation and performance analysis of the four NIST standard candidate post-quantum algorithms CRYSTALS-Kyber, CRYSTALS-Di lithium, FALCON, and SPHINCS+, all tuned for high-throughput, low-latency healthcare workloads. Our empirical data demonstrates that Kyber-1024 is best-suited for health record encryption tasks with minimal performance overhead (2.3x slower) compared to AES-256, and Dilithium-5 offers the most efficient trade-off for long-term signature security for audit logging (4.1x slower than RSA-2048). The research introduces an innovative "crypto agility" system design, facilitating seamless transitioning between traditional and post-quantum cryptographic methods. This design mitigates transitional risks and enables concurrent support for both legacy and quantum-resistant cryptographic processes. Protocols for negotiating between different cryptographic algorithms automatically, based on a combination of data sensitivity, retention policies, and prevailing threat models, are also established.

Empirical evidence from deployment within a production-grade population health system, which currently processes 50 million patient records, indicates the transition to post-quantum cryptography can occur with only 0.03% total downtime, 18% additional storage overhead, and 31% additional compute overhead, well within the tolerance of most healthcare IT budgets.

The paper includes a risk assessment that establishes population health databases, which contain sensitive genetic data, disease profiles, and long-term biometric information with relevance extending over a century, as the most critical assets to be protected against quantum cryptographic attacks. Additionally, the cost-benefit analysis included shows that the U.S. healthcare industry could avoid up to $47 billion in breach-related expenses by adopting post-quantum cryptography proactively.

Supporting the migration, performance optimization, and regulatory adherence, the framework consists of practical migration tooling, a guide for fine-tuning performance, and evidence to show that post-quantum cryptographic implementations meet the necessary conditions for HIPAA encryption safe harbor and are robust against future quantum-computing-specific regulatory requirements.