NIST finalizes 3 post-quantum cryptography standards
Credit: Yuichiro Chino/Getty Images
To safeguard existing cybersecurity protocols from easy decryption by a quantum computer, the National Institute of Standards and Technology Post-Quantum Cryptography Project has developed three algorithms – called FIPS 203, 204 and 205 – designed to withstand quantum-powered cyberattacks. It released the first three post-quantum encryption standards on Tuesday.
With the standards, organizations can achieve quantum-safe transformation strategies. The agency said that post-quantum encryption standards secure a wide range of electronic information and is encouraging IT administrators to begin transitioning to the new standards now.
WHY IT MATTERS
Cyber-vulnerable healthcare organizations at varying stages in their cybersecurity modernization are pressed to address myriad cyberattack vectors. The rise of artificial intelligence-enhanced attacks, for example, only adds weight to this burden, with numerous reports that generative AI is improving the quality and quantity of phishing attacks.
According to Scott Crowder, vice president of IBM's quantum-safe adoption and business development team, which offers critical data and systems protection services, the IBM Quantum Platform can now be made Quantum Safe with the standards finalized.
The company works with Cleveland Clinic and others on how quantum computing could benefit their research.
Crowder told Healthcare IT News Tuesday that, with the standards, healthcare organizations can pursue all the steps "to reveal the factors that will steer the organization toward being quantum-safe."
The difficulty for quantum pioneers like IBM – and everyone else – was in waiting for open public-key cryptography standards needed for mass access to the data exchange quantum-protection protocol.
Crowder said organizations must first identify their cryptography and generate what is referred to as a Cryptographic Bill of Materials, or a catalog of artifacts.
"With a CBOM, now the organization can truly observe how compliant their cryptography is – according to current regulations, for example – and where they may have vulnerabilities."
"Now with a prioritized list, the organization can begin to transform their security to quantum-safe solutions," he said.
These three steps – discover, observe and transform – will bring an organization toward being quantum-safe, according to IBM, which it says helped develop NIST’s PQC algorithms standards.
Healthcare organizations can join post-quantum cryptography initiatives or form their own, Crowder also advised.
While NIST has finalized three Federal Information Processing Standards for PQC for use this year, there will be more to come.
We also reached out to U.S. Health and Human Services, healthcare's Sector Resource Management Agency, to ask about the new standards and any recommendations for accelerating migration to quantum-resistant cryptography. We will update this story if we receive a response.
THE LARGER TREND
The NIST PQC project was launched as a six-year effort to develop public-key cryptographic algorithms capable of safeguarding sensitive and protected information.
The project is also drafting standard for FALCON, a fourth algorithm selected for development in 2022, and a second set of alternative defense algorithms in anticipation of future weakness, NIST said when it first announced the three draft PQC algorithms last year.
In addition to its work with IBM, Cleveland Clinic has been using quantum in its clinical research.
The company recently partnered with Novo Nordisk Foundation on a quantum computing and AI fellowship program to focus on technologies that analyze vast amounts of data to increase diagnostic accuracy, speed personalized medicine and improve clinical trials.
ON THE RECORD
"Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security," said Laurie Locascio, Under Secretary of Commerce for Standards and Technology and NIST director.
"These finalized standards are the capstone of NIST’s efforts to safeguard our confidential electronic information," Locascio said in the agency's announcement.
"The major factors in being prepared for cybersecurity risks and being ready to move to post-quantum cryptography include being agile – being able to pivot to another encryption method without significant disruption; having the necessary skilled workforce to enable the new post-quantum cryptography standards, and ultimately having cryptographic resiliency, meaning successful organizations anticipate their level of risk and don’t make decisions in isolation," Crowder said.
"Both points highlight the need to understand the risk that bad actors that may gain access to future quantum computing capabilities could pose – and how moving to the new PQC standards now will mitigate this risk – and working with other organizations to be prepared, collectively."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.