Healthcare regulation must adapt rapidly to the challenges posed by QC. Existing frameworks, such as the GDPR, NIS2, or MDR, impose requirements for data protection, device security, and infrastructure resilience, but were developed under pre-quantum assumptions. They do not yet explicitly require safeguards against quantum-enabled attacks10. This leaves health systems without an apparent necessity for transitioning to post-quantum cryptography. Policymakers have already recognised this challenge and are starting to implement roadmaps for the implementation of PQC1,19.
Medical devices present a particular regulatory challenge. Their life cycles often span years22. Once certified, they are rarely updated to meet new cryptographic standards, or updates are not possible at all. At the point of certification, there should be requirements for quantum-safe algorithms. Otherwise, devices in daily clinical use could become long-term vulnerabilities. This issue is exacerbated by the fact that existing regulatory guidance for medical devices already has an unclear scope, inconsistent levels of detail, and thematic gaps in areas such as cryptography and access control23.
Updating certification pathways to include post-quantum criteria is therefore essential. This also applies in particular to digital devices and wellness applications. The example of the femtech sector illustrates how sensitive reproductive health data could be exposed if encryption is broken in the future. While some companies have already begun implementing PQC schemes voluntarily, regulatory frameworks should recognise such practices. Additionally, they should incentivise early adoption across healthcare technologies. Actionable steps are shown in Table 1.
Moreover, protecting medical device data from future quantum decryption attacks is not only a matter of patient privacy, but also of national digital sovereignty. Health systems and health infrastructures, such as the emerging European Health Data Space, increasingly rely on interconnected devices that generate vast amounts of sensitive data. If compromised, this data could be exploited by foreign adversaries to undermine trust, manipulate care, or disrupt services. Without robust quantum-resistant cryptographic strategies, nations risk losing control over critical health infrastructure. This could make them dependent on external actors for security solutions. Ensuring sovereign control over medical data protection strengthens resilience and preserves the autonomy of healthcare decision-making. Overall, this safeguards a country’s or region’s ability to govern its own digital health future.
So what happens when medical device data meets Q-Day? We already have good PQC algorithms, which have been selected through international processes, such as NIST’s standardisation effort. These are already available and should be required in high-risk contexts without delay. Proactive regulation is already requiring the use of these approaches. Effective implementation of the defences already available can prevent costly retrofits and align healthcare with other critical sectors. Most importantly, it would also ensure that patient safety and privacy are not compromised in the quantum era. However, in health data handling, it is generally poor practice that lets down patients rather than a lack of adequate protective technologies.
Finally, it should be emphasised that the risk posed by QC arises not only from the eventual arrival of sufficiently secure QC programmes and systems. Another threat lies in the time required to transition from current encryption methods to quantum-safe, or post-quantum, cryptography24. Regulators and innovators, therefore, share responsibility for addressing these risks, making risk-based quantum impact assessments a necessary part of QC research and development. Such assessments should include the adoption of robust information security management frameworks, such as ISO 27001. Additionally, they should consider the implementation of quantum-safe controls to safeguard sensitive assets from attacks by cryptographically relevant quantum computers25. Ensuring that the deployment of quantum-resistant algorithms keeps pace with, or ideally outpaces, advances in QC capabilities is essential to maintaining the security of digital infrastructures and communications. This calls for researching and investing in PQC initiatives, as well as post-quantum information security programs26.
At the same time, a balanced view involves recognising the potential benefits QC could bring to healthcare. As previously mentioned, QC has the potential to accelerate drug discovery, transform precision medicine, and improve optimisation tasks such as hospital resource management3. These opportunities demonstrate why being prepared is critical: the same quantum advances that could enhance care might also put healthcare systems at risk. When Q-day happens, be it tomorrow or in 20 years, we fear that many medical devices and health data systems will not have been prepared, due to negligence rather than the impossibility of protection. Therefore, stakeholders should take action now by implementing specific measures (Table 1).
link