Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Encryption at rest and in transit: preparing healthcare's cryptographic controls for the post-quantum transition

Harvest-now-decrypt-later attacks are already collecting encrypted ePHI — here's what the HIPAA Security Rule's encryption and risk analysis provisions require before post-quantum standards arrive.

Patient Protect ResearchMay 4, 2026First reported in HIPAA Pulse →

The control gap

Encryption standards that protect ePHI today — RSA, ECC, AES-128 — are not guaranteed to protect it a decade from now. Nation-state and sophisticated threat actors are conducting harvest-now-decrypt-later (HNDL) campaigns: collecting encrypted healthcare data today with the intent to decrypt it once quantum computing reaches sufficient scale. For covered entities and business associates, this is not a future compliance question; it is a present risk analysis obligation under the HIPAA Security Rule. Industry reporting, including coverage aggregated by HIPAA Pulse from Healthcare IT News, has flagged that healthcare organizations are broadly unprepared for this cryptographic transition. First reported in HIPAA Pulse → https://hipaapulse.com/quantum-computing-is-coming-and-healthcare-isnt-ready-52c37d80

The practical gap is this: most small and mid-size practices have no documented inventory of where encryption is applied, what algorithm and key length is in use, or a roadmap for migrating to NIST's post-quantum cryptographic standards as they are finalized.

The HIPAA Security Rule provision in play

§164.312(a)(2)(iv) and §164.312(e)(2)(ii) — Encryption and Decryption (Addressable). While "addressable" does not mean optional, it requires a documented risk-based decision. Equally implicated is §164.308(a)(1) — the Security Risk Analysis requirement — which mandates that encryption gaps, including forward-looking cryptographic risks, be identified, documented, and tracked toward remediation. NIST's post-quantum standards (FIPS 203, 204, 205, finalized 2024) now give practices a concrete migration target that risk assessments should reference.

How Patient Protect addresses this

  • Security Risk Assessment (SRA): Patient Protect's guided SRA walks practice administrators through encryption controls — documenting current algorithm use, identifying gaps, and generating a risk register that satisfies §164.308(a)(1). Documenting your current encryption posture is the mandatory first step before any migration plan.
  • Autonomous Compliance Engine: Continuously recalculates compliance posture as new risks are acknowledged or controls are updated, so encryption-related findings don't age out of visibility.
  • Information Systems Inventory: Maps the systems that store or transmit ePHI — a prerequisite for knowing where encryption is and isn't applied across your environment.
  • Policy Generation: Produces and maintains an Encryption Policy document tied to your specific system inventory, giving auditors evidence that addressable specifications have been formally evaluated.
  • HIPAA Assistant (PIPAA): Provides on-demand guidance on how emerging standards — including post-quantum requirements — interact with current Security Rule obligations.

Practical next steps

  • Run a current-state encryption audit this week: list every system that stores or transmits ePHI and record what encryption standard it uses.
  • Update your Security Risk Assessment to explicitly address cryptographic risk, referencing NIST's finalized post-quantum standards (FIPS 203/204/205) as the migration target.
  • Document your addressable-specification decision for §164.312(e)(2)(ii) — regulators expect written rationale, not just implementation.
  • Brief your IT vendor or MSP on HNDL exposure and ask for a written timeline toward post-quantum-compatible cipher suites.
  • Review BAAs with vendors who handle ePHI in transit to confirm their encryption roadmaps are documented.

Try Patient Protect

  • Start a free trial at hipaa-port.com → https://hipaa-port.com
  • Run a free Security Risk Assessment at patient-protect.com/risk-assessment → https://patient-protect.com/risk-assessment

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/quantum-computing-is-coming-and-healthcare-isnt-ready-52c37d80

Sourcing. This analysis is a Patient Protect commercial companion to Quantum computing is coming, and healthcare isn't ready, originally published in HIPAA Pulse, drawing on reporting from Healthcare IT News. Adapted with editorial AI assistance under Patient Protect’s commercial editorial standards. Patient Protect is a HIPAA compliance platform for independent healthcare practices.