How Post-Quantum Encryption Mandates Affect HealthcareMac McMillan, CEO Emeritus of CynergisTek, on Cryptography Migration Planning
A 3-month-old federal law meant to future-proof federal computers from quantum computer decryption will have an effect on healthcare sector entities, too, says Mac McMillan, founder and CEO emeritus of privacy and security consulting firm CynergisTek.
"Data and systems that we have today that use at least the current cryptography standard will no longer be adequate when quantum computing becomes mainstream," he said (see: Biden Signs Law to Safeguard IT Against Quantum Computing).
Ultimately, private sector organizations, including healthcare entities - "whether they like it or not" - also will need to migrate to the new cryptographic standards, which are being hammered out by the National Institute of Standards and Technology, the National Security Agency and others, according to McMillan.
The eventual mass migration to post-quantum cryptography will compel healthcare entities to take "a 100% inventory" of their network ecosystems, he said. "Everywhere you have encryption, you will need to consider upgrading to the new standard in order to protect that data."
"Right now, if I were a CISO at a health system, I would be looking at this legislation and say, 'Even though I'm not a federal agency and it doesn't apply to me directly, I'm going to start working with IT to identity the systems, applications and data that we need to be thinking about for migration and putting together a plan so that by the time the new standards come out, we’re prepared to do that."
In the interview (see audio link below photo), McMillan also discusses:
- The types of healthcare sector organizations most likely at risk for potential quantum computing attacks;
- The threat posed by "harvest now, decrypt later" attacks involving the theft of data currently encrypted using current cryptography standards;
- The systems and devices used in healthcare that potentially present the biggest challenges for post-quantum cryptography migration.
McMillan is co-founder and CEO emeritus of CynergisTek, which was acquired last year by privacy and security consultancy Clearwater. He has more than 40 years of security and risk management experience, including 20 years at the U.S. Department of Defense and its Defense Threat Reduction Agency.