Healthcare organisations are custodians of some of the most sensitive and long-lived data in existence. Electronic patient records, diagnostic imaging, genomic data, connected medical device telemetry and clinical research findings are not short-term assets; they must remain confidential and trustworthy for decades. Yet the cryptographic foundations protecting this data today were never designed to withstand the computational power of quantum computing.
Guidance from the UK’s National Cyber Security Centre (NCSC) makes clear that organisations should begin preparing for a transition to post-quantum cryptography (PQC) now. The NCSC has outlined a migration timeline calling on organisations to identify affected systems by 2028, prioritise upgrades by 2031 and complete the transition by 2035.
For healthcare providers, digital health innovators and NHS suppliers, this timeline is both necessary and daunting. The sector is simultaneously managing rapid digital transformation alongside decades-old infrastructure. Modern healthcare data requirements are increasingly layered onto legacy clinical platforms that were never designed for today’s interconnected or long-term threat landscape. That tension, ageing systems handling modern data under evolving threats, sits at the heart of healthcare’s post-quantum challenge.
Quantum Risk Is Not a Future Problem
A common misconception is that quantum computing only becomes a concern once a fully capable quantum machine exists. In reality, the risk has already begun. Attackers today are harvesting encrypted data with the intention of decrypting it later, once quantum capabilities mature, an approach often described as “harvest now, decrypt later”.
Healthcare data is particularly exposed. Medical histories, genomic datasets and clinical research can retain value for decades. Information intercepted today may remain unreadable for years, only to become accessible once quantum decryption capabilities emerge. The implications extend beyond cybersecurity alone, affecting patient confidentiality, institutional trust and long-term regulatory resilience.
Legacy Infrastructure in a Modern Threat Landscape
Healthcare presents a uniquely complex environment for cryptographic transition. Many NHS trusts and private providers operate digital estates that include:
- Legacy electronic patient record systems
- Diagnostic imaging platforms
- Connected medical devices and IoT sensors
- Cloud-hosted patient portals and remote monitoring services
- Extensive third-party supplier integrations
Many of these systems were deployed decades ago and remain mission-critical today. Cryptography is often deeply embedded within applications or firmware, making modification difficult or operationally risky.
Healthcare organisations cannot simply replace these systems without affecting clinical delivery. Even minor technical changes may require validation, recertification, and assurance of patient safety. As a result, quantum readiness depends less on replacing legacy platforms and more on protecting the data flowing through them.
The Limits of Perimeter Thinking
Historically, healthcare cybersecurity focused on protecting the network perimeter by securing data centres, restricting access and defending against external intrusion. However, telehealth services, hybrid working, cloud adoption and interconnected supply chains have fundamentally changed how healthcare data moves.
Patient information now travels continuously between hospitals, research partners, cloud platforms and connected devices. Zero Trust architectures reflect this shift by emphasising identity verification and least-privilege access. Yet quantum computing introduces a deeper challenge: it threatens the encryption algorithms themselves. If encryption becomes vulnerable, traditional perimeter controls and access verification alone cannot guarantee long-term protection. Security must follow the data wherever it moves.
Protecting Legacy Applications Without Rewriting Them
A practical path to quantum readiness lies in adopting a data-centric and platform-agnostic security model. Rather than attempting to update cryptography within every legacy application or medical device, protection can be applied independently at the data layer. This enables healthcare organisations to secure sensitive information without modifying or destabilising core clinical systems. Under this approach:
- Data is protected independently of application logic
- Legacy platforms continue operating unchanged
- Security policies govern access across environments
- Encryption mechanisms can evolve as PQC standards mature
This non-invasive model allows healthcare providers to modernise security while maintaining operational continuity, a critical requirement in clinical environments.
Sovereign Key Ownership and Policy-Driven Protection
An often overlooked element of post-quantum readiness is control over encryption keys themselves. Long-term security depends not only on adopting quantum-resistant algorithms but also on ensuring that organisations retain sovereign ownership of the keys used to protect sensitive data. In healthcare environments involving multiple suppliers, cloud platforms and shared services, loss of direct key control can introduce additional risk.
A policy-driven model allows encryption keys to remain under organisational control while being applied dynamically according to application flows and data access requirements. Protection can then be enforced consistently across systems, regardless of where data is processed or stored.
When sovereign key ownership is combined with post-quantum cryptographic algorithms, healthcare organisations can maintain control over data protection throughout its lifecycle. Security becomes independent of infrastructure providers, application age or hosting environment.
This approach helps ensure that sensitive patient information remains protected in accordance with organisational policy, rather than being constrained by the limitations of legacy platforms or external systems.
The Importance of Crypto Agility
Post-quantum security is not a one-time upgrade. Standards will evolve, and some algorithms will inevitably change over time. Crypto agility enables organisations to update encryption methods, rotate keys and adjust protection policies without redesigning applications or interrupting services. In healthcare environments, where uptime requirements are strict and change cycles lengthy, crypto agility allows protection to evolve without repeatedly revisiting legacy infrastructure.
What Healthcare Organisations Should Be Doing Now
Preparation begins with structured assessment rather than large-scale replacement programmes. Healthcare organisations should focus on:
- Identifying long-life data requiring decades of protection
- Mapping cryptographic dependencies across legacy applications
- Understanding ownership and governance of encryption keys
- Assessing supplier and cloud provider readiness
- Exploring policy-driven, data-centric protection models
- Aligning with evolving NCSC guidance
Early planning enables gradual, lower-risk migration rather than compressed transformation later.
Trust in the Digital Health Era
Digital healthcare innovation increasingly depends on trusted data exchange. Remote consultations, AI diagnostics, and connected medical ecosystems rely on secure information flows that operate across both modern and legacy platforms.
Maintaining patient confidence requires assurance that data remains protected throughout its lifetime, even as technology evolves. Quantum computing introduces a long-term structural risk, but it also presents an opportunity to rethink how healthcare protects sensitive information: shifting from infrastructure-dependent security toward persistent, policy-controlled data protection.
The Countdown Has Begun
The NCSC’s 2035 migration horizon may appear distant, but for healthcare organisations managing complex legacy estates, preparation must begin now.
Healthcare leaders should be assessing whether current controls, particularly those protecting data flowing through older systems, will remain resilient as quantum computing advances.
The clock is ticking, and preparation must start now.
By Simon Pamplin, CTO, Certes