With quantum transformation looming, no time to waste in maturing cryptography management - Healthcare IT News

Photo: Negative Space/PexelsAsymmetric cryptographic algorithms – RSA and ECC, which are based on solvable math – can be cracked in seconds by a quantum computer. Functional quantum computers once seemed a distant future state; however, the threat to healthcare data security is already apparent with today's cyber espionage.Experts who created a panel for the 2026 HIMSS Global Health Conference & Exhibition in Las Vegas next week believe the clock is ticking on the need to migrate encryption for a post-quantum future, with regulations rapidly moving to shorter certificate lifespans across assets. Arriving safely in the coming post-quantum reality with today's complex healthcare stacks requires organizations to take action."When you introduce quantum, which is a heavier footprint, it takes more compute power, more bandwidth, and things are going to break," said Mike Nelson, global vice president and field chief technology officer at DigiCert and one of the panelists for the HIMSS26 session "Healthcare's Crypto Tipping Point: Automate for Quantum Risk." "So 'crypto agility' is knowing that you're at a point where you can hit the upgrade, and nothing's going to break. That's where organizations need to get to."Nelson said his co-panelists – digital trust experts working on the frontlines of healthcare and technology – will present practical strategies for getting started to support healthcare IT teams with their post-quantum cryptography (PQC) to-dos.Joining Nelson are Ali Youssef, director of emerging technology security at Henry Ford Health in Detroit; Nathan Lesser, vice president and chief information security officer at Children's National Hospital in Washington, D.C.; and Joern Lubadel, global head of product security at B. Braun in Germany.For their session, they will discuss the major shifts propelling the coming PQC migration – the urgent pressure from post‑quantum encryption standards development, short‑lived certificates and organizations' complex hybrid/multicloud architectures. They will then share strategies for evolving current cryptographic operations from crisis-driven responses to strategic automated frameworks."You'll leave with practical steps to begin a quantum‑safe transition and build crypto agility across your environment," according to the session description.Massive migrations can take years because a lot of coordination needs to happen, said Nelson.Previous migrations for the standard cryptography algorithm upgrade used for digital signatures, SSL/TLS certificates and ensuring file integrity are a good example."I met with a large [organization] in Australia when I was down there, and they told me that that [SHA 1 to SHA 2] migration took them eight years to fully migrate because of the complexity," he told Healthcare IT News ahead of the conference."When you upgrade cryptography, systems break."Hastening urgency, the CA/Browser Forum, which sets global baseline requirements, has reduced the maximum public TLS/SSL certificate validity from 398 days to 200 days beginning on March 15.Maximum validity drops to 100 days one year later and then to 47 days by March 15, 2029.According to Nelson, it's incumbent on IT to now be asking if their hardware and their operating systems support post-quantum encryption.Taking the steps now to ultimately achieve PQC readiness enhances reliability, data protection and security and will also help to maintain system uptime, protect sensitive data and meet compliance requirements."It's going to benefit your organization," Nelson said.IT staff tend to find out a certificate has expired only after a system failure or outage occurs."Most organizations I talk to today can't even tell me where all of their certificates and cryptography reside," Nelson said.During a recent session with many CISOs, Nelson said all raised their hands when he asked whether they experienced outages due to mismanaged cryptography in the last month.Certificates are hard to manage, and resolution is often crisis-driven. Systems go offline, and organizations lack both visibility and the ability to control devices at scale."Most organizations I talked to today can't even tell me where all of their certificates and cryptography reside," he said. "They don't even know."Navigating PQC migration requires proactive certificate management. Without a central list, they cannot see where to begin a migration process, and when certificates unknowingly expire, systems go offline and risk patient care."That's the process that's going to really take more planning, more time," Nelson explained.Achieving true "crypto agility," however, is "when you can swap your cryptography and nothing's going to break," he said."It's a massive upgrade, not just of your certificates, but of the surrounding infrastructure that needs to go with it to ensure that they have what's called 'crypto agility,' which is you can swap your cryptography and nothing's going to break," he added."The first thing you need to be able to do is discover and have a comprehensive inventory of your crypto assets. Once you have that, then you can begin introducing better management practices."The number of devices and systems that require SSL/TLS certificates has proliferated beyond organizations' abilities to manage them.About 12 years ago, organizations were managing an average of about 4,000 to 5,000 security certificates, Nelson said."We have organizations today that are issuing 500 million certificates every year," he said. "The management of that cannot be done in a spreadsheet; you cannot be manually notifying and renewing those certificates."With minimal human intervention, automation technologies can manage issuance, deployment, renewal and revocation, and prevent widespread system failures, he said."Automation really becomes the accelerator, the requirement for managing cryptography stacks today."In addition to pursuing better certificate management and system protection practices through automation, organizations should start to prioritize PQC migrations due to the cyber threat environment.Threat actors are harvesting encrypted data today and waiting on quantum computers to access it, said Nelson. Evidence is mounting that "Harvest Now, Decrypt Later" attacks could eventually expose protected healthcare data, he explained."We see nation-states capturing large amounts of data and saying, 'We're going to sit on this, and we will unencrypt it when we get a quantum computer, and then we'll use that data."Nelson said he urges healthcare organizations to identify data that will still be sensitive in five to 10 years and "look at migrating those systems sooner than later because of that threat."Nelson's session, "Healthcare’s Crypto Tipping Point: Automate for Quantum Risk," is scheduled for the preconference Healthcare Cybersecurity Forum on Monday, March 9, from 3:20-4:05 p.m., in San Polo 3501A, Level 3, at the Venetian at HIMSS26 in Las Vegas.Andrea Fox is senior editor of Healthcare IT News.Email: [email protected]Healthcare IT News is a HIMSS Media publication.