Although still at a nascent state, quantum computing promises advances in healthcare, from drug discovery to personalised treatments. But it also threatens current cryptographic systems that protect medical data and infrastructure. The concept of “Q-Day” highlights risks such as “harvest now, decrypt later” attacks, with particular concerns for medical devices and sensitive applications in fields like femtech. Preparing for this future requires the rapid adoption of post-quantum cryptography, the coordination of time-phased and scalable “technology rollout” strategies, and revised regulatory frameworks to safeguard patient safety, privacy, and trust.
Over the last years, quantum computing (QC) has moved from a speculative concept to a timely area of research and development, with advances in prototypes and algorithms1. QC is built on the principles of quantum mechanics to process information in fundamentally different ways from traditional computers. Quantum mechanics is famously hard for the non-physicist to grasp2, and this extends to QC: whereas a classical bit is either 0 or 1, a quantum bit (qubit) can occupy multiple states at once, also known as superposition, and be correlated with other qubits through entanglement3. Exploiting these properties allows certain classes of problems to be solved with parallelism and high speed4.
Within the healthcare sector, QC is considered to have great potential for advancing pharmaceutical research and drug development, such as by enabling faster and precise predictions of protein folding and biochemical interactions, as well as by accelerating whole-genome sequencing and the analysis of complex genetic data3,5,6. QC is also expected to be able to find optimised personalised treatment plans, e.g. in the areas of radiotherapy, improve AI algorithms, e.g., for the prediction of chronic diseases, e.g., for cancer detection and improve MRI image quality3,6.
The advent of Q-Day?
While QC holds great promise for progress in health and life science research, it also raises a systemic security concern that extends beyond healthcare: the potential to break widely deployed cryptographic systems that underpin digital services. In the general media, this event is often referred to as Q-Day or Y2Q.
Importantly, the specific point in time of Q-Day remains hypothetical. The capabilities and computational power of quantum computer prototypes have increased over the last years, which could be observed by an increase in functional qubits. Nevertheless, such prototypes are far from being fully functional7. Experts estimate the likelihood of functional quantum computers to be between 19% and 34% within the next 10 years, and between 60% and 82% in the next 20 years8. Such dates have been mentioned in the past and have been pushed back several times1,9. Due to these limitations, the development of QC algorithms currently remains a theoretical field1.
The concept of Q-Day is debated in a general audience and among researchers for two reasons. First, at the time of Q-Day, infrastructure should be prepared and have switched to quantum-safe schemes to avoid future systemic failures in authentication, key exchange, and secure communication1,10. Second, there is an immediate “harvest now, decrypt later” risk: adversaries or criminals can store currently encrypted data until quantum computers are sufficient to decrypt it1,10. In healthcare, where retention periods are lengthy and data retains value throughout a lifetime, this results in a lasting exposure.
The prospect of Q-Day has concrete implications for healthcare and medtech11. First, medical devices and healthcare systems are critical infrastructure, and if their cryptographic protections are compromised, the consequences could be immediate and potentially life-threatening11. Ensuring these systems are protected against potential quantum-capable adversaries is, therefore, crucial. Second, access to previously secure medical data could allow insurers or other stakeholders (if they were willing to act criminally) to alter risk assessment practices, possibly leading to discrimination in coverage and pricing. Finally, decrypted health data could be exploited in ways that go beyond ordinary privacy breaches. Records of public figures or vulnerable groups may be targeted for political or social reasons, especially in environments where minority rights are contested. Examples include patients with stigmatised diseases such as HIV or individuals seeking reproductive or gender-affirming care. Misuse of this information might cause legal or social harm to individuals and undermine access to essential care. Another related challenge is the expected “quantum divide”, where only some countries have the financial resources to invest in QC development and the implementation of post-quantum cryptography (PQC)12. While PQC methods themselves may be available as open-source standards, health systems in low- and middle-income countries may lack the economic or technical capacity to replace legacy infrastructure or to implement the necessary upgrades. As a result, they could face prolonged exposure to quantum-enabled attacks, placing their populations at disproportionate risk. Such scenarios demonstrate that Q-Day is not only a technical challenge but also a broader societal and ethical concern, as it could undermine public trust in care systems and medical technology.
Recent developments
The risks associated with Q-Day have not gone unnoticed. As the potential of QC to undermine cryptographic systems was recognised early on by researchers such as Shor and Grover13,14, research into PQC began soon after15. These efforts have since been taken up by standardisation bodies, governmental authorities, and policy makers, reflecting a coordinated attempt to prepare digital infrastructure for the advent of quantum-capable adversaries1.
In 2016, the U.S. National Institute of Standards and Technology (NIST) issued a formal call for proposals for PQC standardisation, marking the start of a long-term effort to address the risks posed by QC16. This initiative represented one of the first attempts by an official authority to prepare digital infrastructure for a post-quantum era. The call invited cryptographers worldwide to submit candidate algorithms for evaluation, with the aim of replacing three existing standards most vulnerable to attacks by QC. Following the submission deadline in late 2017, NIST began a multi-year evaluation process. This process has since advanced through several competitive rounds. In March 2025, NIST announced the selection of a fifth quantum-safe algorithm scheduled for standardisation, underscoring the continued expansion of the PQC portfolio17.
Government authorities have begun actively recommending the adoption of these algorithms. In the United States (US), the Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance emphasising their importance in countering “harvest now, decrypt later” strategies18. Similarly, the European Union (EU) has published a “Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography,” which establishes specific milestones for securing EU infrastructure against post-quantum threats19. Initial measures are expected by 2026, and high-risk use cases should complete the transition to PQC by 2030. This roadmap is closely linked to the NIS2 directive, which requires public administration entities and critical infrastructures to follow these recommendations to ensure a synchronised transition across the EU.
In parallel, companies have already begun implementing PQC in practice. Messenger services like Apple’s iMessage and Signal have incorporated quantum-safe encryption methods, and the healthcare sector has also started adopting similar measures. A notable example is the period-tracking app Flo, which introduced an anonymous mode allowing users to access its services without sharing personally identifiable information20. This mode uses quantum-safe algorithms to ensure that even if data were collected today, it could not be decrypted later. The sensitivity of such data is evident, as it may reveal pregnancies, abortions, or other reproductive health details.
Quantum cryptography and computing for clinicians
But why is encryption flawed, and how do quantum-safe methods differ from current approaches? Modern encryption can be categorised into symmetric and asymmetric methods. Symmetric encryption, such as the Advanced Encryption Standard (AES), uses a shared secret key for both encryption and decryption. Conversely, asymmetric methods, such as RSA, rely on mathematically related public and private keys. The public key is created from two very large secret prime numbers, and the private key depends on knowing these primes. Since factoring such large numbers is only possible by testing every combination, it is practically impossible for classical computers. Thus, the private key cannot be feasibly derived from the public one21. These techniques underpin protocols like Transport Layer Security (TLS) in a hybrid manner, which secures online communications. At a high level, when a client initiates a secure connection with a website, the client and server exchange cryptographic keys and verify authenticity through certificates and digital signatures using asymmetric methods15. More efficient symmetric algorithms then protect the actual data transfer, ensuring confidentiality, authenticity, and integrity. The previously exchanged key is used for encryption and decryption (Fig. 1).
The hybrid encryption method uses a two-stage approach. First, a secret key is shared using an asymmetric encryption method. Second, the main message is sent using a symmetric encryption method.
QC alters this landscape. Shor’s algorithm, introduced in 1994, demonstrated that large prime numbers can be efficiently factorised on a quantum computer, thereby breaking RSA and ECC13. These widely used asymmetric systems would no longer be secure once functional quantum computers exists15. In contrast, symmetric algorithms are less affected. Here, Grover’s algorithm can speed up brute-force key searches, but its advantage is limited. Increasing key sizes, such as moving from AES-128 to AES-256, is sufficient to maintain security against such attacks for the time being1,14. However, because protocols like TLS rely on asymmetric encryption to exchange symmetric keys, the compromise of the asymmetric component would expose those keys, allowing attackers to decrypt the entire communication.
Because asymmetric encryption is more vulnerable, researchers have developed specific PQC methods to address those vulnerabilities. These methods are designed to resist quantum attacks while remaining compatible with existing infrastructure1. Several types of methods are currently under development, with some already standardised by NIST and others on track to standardisation11. Each of these approaches involves trade-offs in key size, efficiency, and security. Implementing them across healthcare and other critical sectors requires significant investment, and broad adoption will take time1.
Regulatory implications and next steps
Healthcare regulation must adapt rapidly to the challenges posed by QC. Existing frameworks, such as the GDPR, NIS2, or MDR, impose requirements for data protection, device security, and infrastructure resilience, but were developed under pre-quantum assumptions. They do not yet explicitly require safeguards against quantum-enabled attacks10. This leaves health systems without an apparent necessity for transitioning to post-quantum cryptography. Policymakers have already recognised this challenge and are starting to implement roadmaps for the implementation of PQC1,19.
Medical devices present a particular regulatory challenge. Their life cycles often span years22. Once certified, they are rarely updated to meet new cryptographic standards, or updates are not possible at all. At the point of certification, there should be requirements for quantum-safe algorithms. Otherwise, devices in daily clinical use could become long-term vulnerabilities. This issue is exacerbated by the fact that existing regulatory guidance for medical devices already has an unclear scope, inconsistent levels of detail, and thematic gaps in areas such as cryptography and access control23.
Updating certification pathways to include post-quantum criteria is therefore essential. This also applies in particular to digital devices and wellness applications. The example of the femtech sector illustrates how sensitive reproductive health data could be exposed if encryption is broken in the future. While some companies have already begun implementing PQC schemes voluntarily, regulatory frameworks should recognise such practices. Additionally, they should incentivise early adoption across healthcare technologies. Actionable steps are shown in Table 1.
Moreover, protecting medical device data from future quantum decryption attacks is not only a matter of patient privacy, but also of national digital sovereignty. Health systems and health infrastructures, such as the emerging European Health Data Space, increasingly rely on interconnected devices that generate vast amounts of sensitive data. If compromised, this data could be exploited by foreign adversaries to undermine trust, manipulate care, or disrupt services. Without robust quantum-resistant cryptographic strategies, nations risk losing control over critical health infrastructure. This could make them dependent on external actors for security solutions. Ensuring sovereign control over medical data protection strengthens resilience and preserves the autonomy of healthcare decision-making. Overall, this safeguards a country’s or region’s ability to govern its own digital health future.
So what happens when medical device data meets Q-Day? We already have good PQC algorithms, which have been selected through international processes, such as NIST’s standardisation effort. These are already available and should be required in high-risk contexts without delay. Proactive regulation is already requiring the use of these approaches. Effective implementation of the defences already available can prevent costly retrofits and align healthcare with other critical sectors. Most importantly, it would also ensure that patient safety and privacy are not compromised in the quantum era. However, in health data handling, it is generally poor practice that lets down patients rather than a lack of adequate protective technologies.
Finally, it should be emphasised that the risk posed by QC arises not only from the eventual arrival of sufficiently secure QC programmes and systems. Another threat lies in the time required to transition from current encryption methods to quantum-safe, or post-quantum, cryptography24. Regulators and innovators, therefore, share responsibility for addressing these risks, making risk-based quantum impact assessments a necessary part of QC research and development. Such assessments should include the adoption of robust information security management frameworks, such as ISO 27001. Additionally, they should consider the implementation of quantum-safe controls to safeguard sensitive assets from attacks by cryptographically relevant quantum computers25. Ensuring that the deployment of quantum-resistant algorithms keeps pace with, or ideally outpaces, advances in QC capabilities is essential to maintaining the security of digital infrastructures and communications. This calls for researching and investing in PQC initiatives, as well as post-quantum information security programs26.
At the same time, a balanced view involves recognising the potential benefits QC could bring to healthcare. As previously mentioned, QC has the potential to accelerate drug discovery, transform precision medicine, and improve optimisation tasks such as hospital resource management3. These opportunities demonstrate why being prepared is critical: the same quantum advances that could enhance care might also put healthcare systems at risk. When Q-day happens, be it tomorrow or in 20 years, we fear that many medical devices and health data systems will not have been prepared, due to negligence rather than the impossibility of protection. Therefore, stakeholders should take action now by implementing specific measures (Table 1).
Data availability
No datasets were generated or analysed during the current study.
References
Joseph, D. et al. Transitioning organizations to post-quantum cryptography. Nature 605, 237–243 (2022).
Carroll, S. Why even physicists still don’t understand quantum theory 100 years on. Nature 638, 31–34 (2025).
Ur Rasool, R. et al. Quantum computing for healthcare: A review. Future Internet 15, 94 (2023).
Memon, Q. A., Al Ahmad, M. & Pecht, M. Quantum computing: Navigating the future of computation, challenges, and technological breakthroughs. Quantum Rep 6, 627–663 (2024).
Banchi, L., Fingerhuth, M., Babej, T., Ing, C. & Arrazola, J. M. Molecular docking with Gaussian boson sampling. Sci. Adv. 6, eaax1950 (2020).
Chow, J. C. L. Quantum computing in medicine. Med. Sci. (Basel) 12, 67 (2024).
Google Quantum AI and Collaborators. Quantum error correction below the surface code threshold. Nature 638, 920–926 (2025).
Michele Mosca, D. M. P. Quantum Threat Timeline Report 2024. https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/ (2024).
Hong, C. et al. Quantum attack on RSA by D-Wave Advantage: a first break of 80-bit RSA. Sci. China Inf. Sci. 68, 129501 (2025).
Davis, P. et al. EU Cybersecurity Regulation in the Quantum Age. Soc. Sci. Res. Netw. https://doi.org/10.2139/ssrn.5383838 (2025).
SaberiKamarposhti, M. et al. Post-quantum healthcare: A roadmap for cybersecurity resilience in medical data. Heliyon 10, e31406 (2024).
Holley, K. Bridging The Quantum Divide. Forbes (2023).
Shor, P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. arXiv [quant-ph] (1995).
Grover, L. K. A fast quantum mechanical algorithm for database search. in Proceedings of the twenty-eighth annual ACM symposium on Theory of computing - STOC ’96 212–219 (ACM Press, New York, New York, USA, 1996).
Bernstein, D. J. & Lange, T. Post-quantum cryptography. Nature 549, 188–194 (2017).
Boutin, C. NIST asks public to help future-proof electronic information. NIST https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information (2016).
Selected Algorithms - Post-Quantum Cryptography. CSRC | NIST https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms (2017).
Cybersecurity and Infrastructure Security Agency. Post-Quantum Cryptography Initiative. Cybersecurity and Infrastructure Security Agency CISA https://www.cisa.gov/quantum (2022).
NIS Cooperation Group. A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography. https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography (2025).
Flo Health Inc. Open Sourcing Anonymous Mode. Flo.health https://flo.health/privacy-portal/anonymous-mode-open-source-faq (2023).
Rivest, R. L., Shamir, A. & Adleman, L. A. Method for Obtaining Digital Signatures and Public-key Cryptosystems. https://hdl.handle.net/1721.1/148910 (1977).
Hollebeek, T. How Will Quantum Computing Impact Healthcare Security? Safeguarding medical data in the age of information. digicert https://www.digicert.com/blog/how-will-quantum-computing-impact-healthcare-security (2023).
Ostermann, M. et al. Cybersecurity requirements for medical devices in the EU and US - A comparison and gap analysis of the MDCG 2019-16 and FDA premarket cybersecurity guidance. Comput. Struct. Biotechnol. J. 28, 259–266 (2025).
Post-Quantum Cryptography. CSRC | NIST https://csrc.nist.gov/projects/post-quantum-cryptography (2017).
The White House. FACT SHEET: President Biden Announces Two Presidential Directives Advancing Quantum Technologies. The White House https://bidenwhitehouse.archives.gov/briefing-room/statements-releases/2022/05/04/fact-sheet-president-biden-announces-two-presidential-directives-advancing-quantum-technologies/ (2022).
Kop, M. et al. Ten principles for responsible quantum innovation. Quantum Sci. Technol 9, 035013 (2024).
Acknowledgements
This work was supported by the European Commission under the Horizon Europe Program, as part of the project CYMEDSEC (101094218). The views and opinions expressed are those of the authors only and do not necessarily reflect those of the European Union. Neither the European Union, nor the granting authorities, can be held responsible for them. Responsibility for the information and views expressed therein lies entirely with the authors. This work was supported by the German Federal Ministry of Education and Research (BMBF) as part of the Zunkuftscluster SEMECO (03ZU1210BA). TM’s contribution to this paper was generously supported by the Novo Nordisk Foundation (NNF) via a grant for the scientifically independent Collaborative Research Program in Bioscience Innovation Law (Inter-CeBIL Program – Grant No. NNF23SA0087056). TM’s research was further supported by the European Union (Grant Agreement no. 101057321; the ‘CLASSICA project’). The views presented here are solely those of the authors and do not reflect those of the funders, who were not involved in the study design, in the collection, analysis, or interpretation of data, in the writing of the report; nor in the decision to submit the paper for publication. Neither the NNF nor the European Union nor the granting authority can be held responsible for them. During the preparation of this work, the authors used DeepL (DeepL SE), Grammarly (Grammarly, Inc), and ChatGPT (in versions GPT-5; OpenAI, Inc) to improve the grammar, spelling, and readability of the manuscript. After using these tools and services, the authors reviewed and edited the content as needed and take full responsibility for the content of the publication.
Author information
Authors and Affiliations
Contributions
O.F. and S.G. developed the concept of the manuscript. O.F. wrote the first draft of the manuscript. All authors contributed to the writing, interpretation of the content, and editing of the manuscript, revising it critically for important intellectual content. All authors had final approval of the completed version. The authors take accountability for all aspects of the work in ensuring that questions related to the accuracy or integrity of any part of the work are appropriately investigated and resolved.
Corresponding author
Ethics declarations
Competing interests
O.F. has a leadership role and holds stock in WhalesDontFly GmbH, has had consulting relationships with Prova Health Ltd. MO declares no competing interests. T.M. served as an expert advisor to the European Commission’s Joined Research Centre, the European Open Science Cloud (EOSC), Microsoft, and Corti. T.M. further serves as a senior consultant at X-officio AB, Artigentia, and in the external WHO expert committee on the Ethics and Governance of Artificial Intelligence for Health and serves on the external WHO expert group on Ethical Considerations for the Use of Large Multi-Modal Models for Health Related Applications. S.G. is an advisory group member of the Ernst & Young-coordinated “Study on Regulatory Governance and Innovation in the field of Medical Devices” conducted on behalf of the Directorate-General for Health and Food Safety of the European Commission. S.G. has or has had consulting relationships with Una Health GmbH, Lindus Health Ltd, Flo Ltd, Thymia Ltd, FORUM Institut für Management GmbH, High-Tech Gründerfonds Management GmbH, and Ada Health GmbH, and he holds share options in Ada Health GmbH.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Freyer, O., Ostermann, M., Minssen, T. et al. Quantum cryptography and data protection for medical devices before and after they meet Q-Day. npj Digit. Med. 8, 620 (2025). https://doi.org/10.1038/s41746-025-02082-3
Received:
Accepted:
Published:
Version of record:
DOI: https://doi.org/10.1038/s41746-025-02082-3
