I'm Marianne Kolbazaki, Executive Editor at Information Security Media Group. Today I'm speaking with longtime healthcare security and Privacy expert Mac McMillan, founder and CEO emeritus of consulting firm Citizen. We're going to be discussing the Quantum Computing Cybersecurity Preparedness act, which was signed into law by President Biden at the end of December, and his potential impact on the healthcare sector. So, Mac, the new quantum computing legislation addresses the migration of executive agencies IT systems to post quantum cryptography or encryption strong enough to resist attacks and encryption from quantum computers.
Mac, you've said that this legislation will be kickstarting the biggest cryptographic migration this nation has ever known. Why? Primarily because what quantum computing is going to do at some point is make the current cryptography that we use today, which is the 2048 bit RSA encryption, obsolete. So what that means is that a lot of the data that we have today and systems that we have today that use cryptography and that use cryptography that meets at least the current standard will no longer be adequate to protect that data once quantum computing becomes mainstream.
So, Mac, this legislation directly addresses executive government agencies, but it will have ramifications across all sectors, including healthcare. How and why do you think this legislation will affect healthcare? So clearly, the federal government has been getting ready for quantum computing for some time. In fact, nist, the National Institute for Standards and Technology, as well as NSA and others that are involved in developing the cryptographic standards that we use to protect data have been involved in looking at and developing they call post quantum cryptographic standards, or algorithms, if you will, or algorithms that will stand up to quantum computing, believe it or not, since 2015.
And in fact, in 2021, the government actually published a document, along with a one page synopsis, if you will, that basically said here are the things that people need to do, organizations need to do to begin to get ready for this change. Now, this particular act basically is the government telling the government to get its act together, right? It's telling the government in a very deliberate way that all federal agencies need to conduct a inventory of all their data that need that is critical or that is sensitive enough, that needs to be protected in such a way that it will withstand a quantum computer attack, if you will. And so they're supposed to be doing right now looking at all their data across all their systems and inventorying all the information that's currently encrypted and that needs to be encrypted going forward and needs to meet the new, whatever the new standard is, once the new standard is developed and prioritizing that data, meaning what's most important, what needs to be migrated first.
Because if you think about it, Marianne, for a minute, we have encryption embedded in a lot of applications that are out there and a lot of systems that are out there. We also have encryption that's applied to applications or to systems or to data directly. And so all of this, all this information is going to have to be addressed at one point or another. Now, all that information is not created equal, right?
There's some information that's more sensitive than other, some that is more time sensitive than other. And so basically, what the White House is telling our Congress is telling the federal agencies is, hey, you guys need to put a plan together. You need to look at what you got, you need to decide what needs to meet the new standard, and you need to put a prioritized plan together that says you'll be ready to begin to migrate that information to the new standard once it becomes available to you. Now, how does that apply to healthcare?
Well, unfortunately, the act only applies, as you said, to federal agencies. And I think that's partly because the new standard or the new algorithms, the new encryption, if you will, is not available yet. And so I think there may be some hesitancy to direct something towards the private sector that doesn't exist yet. The problem, though, with that and the thing.
And the reason I think that this should impact health care is that, you know, if the private sector is also going to be ready to migrate when the cryptographic standard finally exists, they too need to inventory all of their systems and all their data and identify which ones are going to need to be migrated so that they, too can put together a plan that makes it possible for them to do this in an organized fashion, if you will, and for them to be able to begin to understand what the budgetary impact potentially is going to be to make this happen. Because if you think about a health system today, you know, with all their patient data encrypted, with a lot of their other applications they're using that have encryption involved, their laptops are encrypted, you know, their mobile devices are encrypted, et cetera, et cetera, all that's going to have to be addressed. Encryption and network devices, like medical devices, for instance, that's going to be. I think that's going to be a huge uplift, if you will, for them.
I think that right now, if I were, if I were a CISO at a health system, I would be looking at this legislation. I would say, even though this doesn't apply to me directly because I'm not a federal agency. This is the smart thing to do. And I'm going to start looking right now and start working with it to identify the systems and the applications and the data that we need to be thinking about in terms of migration and putting together my own plan so that by the time the new standards come out, which may be in summer between 2023 and 2025, I'll be prepared to do that.
What types of healthcare organizations and systems are most at risk for potential quantum computer tasks, you think? Looking ahead and why. So the short answer is everybody potentially could be at risk, but I think those organizations that are going to be most at risk initially are the largest organizations and those organizations that are involved in research activity and health insurance. Most of the information that I've, I've read through so far, the government expects or and the industry expects that the largest target for quantum computing attacks initially is going to be in the financial sector, the ability to break the encryption on financial systems, which I'm sure you can imagine would be huge, right in terms of the impact.
But the fact of the matter is is that it will be. Any system that does not have post quantum computer appropriate encryption after it becomes mainstream will be at risk, if you will. But I think that initially it's going to be the largest systems who have most data. It's going to be those that are involved in research and certainly the health insurance industry needs to take this very seriously.
Will they be able to avoid this? The answer is no. By the HIPAA rule itself, which is which I'm not a real fan of, but by the HIPAA rule itself says you have to apply encryption, appropriate encryption to protect data. And the expectation is, is that that is encryption that meets whatever the current standard is.
So when NIST and NSA and CISA and those folks finish up their development work and identify what the new cryptographic standard will be going forward, my expectation is that any organization that has to meet an encryption standard will have to meet whatever that standard is, and so they're going to have to migrate to the new standard whether they like it or not. So Mac, as you mentioned, nist, NSA and other organizations are working on these encryption standards for post quantum computing. From a practical standpoint, what do you think this migration will potentially mean for healthcare IT systems and patient records, for instance? Well, I think what's been published so far is that they don't expect quantum computing to be really mainstream until probably somewhere between 2030 and 2035.
And I know that sounds like a long way off, but it actually isn't. I mean, we're in 2023 now, so we're seven years away from the front end of that and only 12 years away from the far end of it. And that's based on what they know today. But based on the work that's going on, the research that's being done by folks from around our country, for instance, like folks from MIT and across the pond, folks like the Chinese, et cetera, they expect to be able to have quantum computers that are, that are strong enough to crack the current encryption standard much quicker than that.
So it may be that there isn't five to 12 years to get ready, but let's assume, best case, that we do have until 2030 to get prepared. You know, like I said, you're looking at first, first off, understanding everywhere in your environment where you have encryption either embedded in a system or that you've applied or layered on top of the system, like the encryption, for instance, that you put on a laptop or the encryption that you add to data repositories, for instance. But it's going to impact the encryption that's in cloud storage, it's impact the encryption that's on storage in your data center, on your backups, on your systems that you use. From an operational perspective on applications, on radiology systems, labs, I mean, just about every system that you can think about that collects patient information today the information is encrypted somewhere, either in that application or once it is stored in the back end.
And that data is typically encrypted in transit. So moving from place to place, if you will, or from application to application. So, I mean, it is literally taking a 100% inventory of your entire network ecosystem and understanding everywhere that you have encryption and everywhere that you would, you would need to consider upgrading from whatever the current standard is to this new standard in order for you to be prepared to and be able to protect that data. And where the rub comes in is, and this is because what we're talking about here is basically getting systems to the point to protect going forward.
And the sooner you're able to do that before quorum computers become more mainstream, the better off you're going to be. Now, the flying ointment, so to speak, if you will, from a cyber risk perspective, is that we have these things, these attacks, they're called hardest now, decrypt later attacks, which means basically I hack you, I steal your data, even though your data may be encrypted. I don't care because I'm playing the long game, which is what the nation state actors and the real sophisticated hackers may do and certainly the serious attackers. I may hack you today, steal your data, even though you may have it accurately protected and encrypted.
And I can't decrypt it right now, but I'll just hang on to it until I have a quantum computing capability and I'll decrypt it then. So part of the analysis that I think people need to make is what data do you have today that if it were to be stolen by a hacker and if it were to be decrypted five years from now, would still be relevant, would still cause an issue. The other fly in the ointment here is that one of the rules in terms of Hippo in particular is that encryption has always been that gadget jail free card. If in order to do get hacked and your information is all encrypted, you've done what was reasonable to protect it with harvest now and decrypt later again, I can hack you today, I can steal your steal data from you today, I can decrypt it five years from now.
What does that do to that whole scenario? In other words, can I still say that the information that was stolen tomorrow, for instance, or in the next couple years, for instance, can I still say that I can, I can absolutely say to the people that that data belongs to that your data will never be at risk. So Max, these are great points. And as we know, the healthcare sector had been slow in encrypting much of its data in the first place, although things have vastly improved, as is evident in, for example, the huge decline that we see in healthcare breaches reported to regulators these days that do involve unencrypted lost or stolen mobile devices, for instance, like you just mentioned.
But with that said, how hopeful are you that the healthcare sector won't be a laggard again when it comes to adopting post quantum computing encryption standards once they're available? I'm hopeful, I'm not confident I'll put it that way. The reason I say that is because, number one, other than this conversation you and I are having today, maybe a few conversations here or there, there is a lot of discussion about this topic in healthcare, which is one of the reasons why I think this is such a great idea to have this discussion, because we should be having this discussion today. We should be thinking about these future threats that are coming down the road and not just the ones that we're dealing with right now.
Number one, I think the biggest concern I have with healthcare's migration is that this is going to be another investment for them. It's going to be another thing that adds to their cost. Healthcare is already getting the heck out of them with cost. And but this is just another thing that it's going to take time and it's going to take effort and it's going to take people and so it's going to cost and you know what that cost is I don't think anybody's been able to define yet.
But certainly, you know, you don't, you just don't migrate this much information to a new system without having some impact. And that's the other challenge here is, is healthcare as we know still has a lot of legacy systems. Will those legacy systems even be able to handle the new standard or be part of that migration and is that going to add to organizations cost in terms of having upgrade systems to even be able to do the migration? So I think there's a lot of questions out there that still need to be asked and answered and I think the point is right now is that what we ought to do, we ought to be talking about this and we ought to be asking these questions and somebody ought to be thinking about what kind of impact is this going to have on healthcare because this is being driven down, if you will, from the government.
I mean this is something that quite frankly that I think Health and Human services ought to be in front of and there ought to be a group right now that's, that is talking about as the government is going through this and is going to be learning some lessons learned as it goes through their process. How do we migrate those lessons learned from their preparation over to healthcare over to other private sector organizations so we don't, so everybody doesn't have to learn it on their own or repeat somebody else's mistakes. I just think that's something that people should be getting in front of. It's something that we should be discussing with executives in this industry so they understand that this is something that's coming down the pike, that's going to affect them, it's going to affect their organization.
I figured one of your questions was going to be what should we be doing? So I wrote down, you know, my first, my number one step was stop waiting, start getting ready and start learning about, you know, educating your organization on quantum computing and the security issues that are associated with it. And while NIST and the other folks are looking for those approved post quantum cryptography solutions, begin to inventory your information in your environment. You know, incorporate quantum resistant encryption plans into your strategic planning so that you know that this is going to be something you're going to be, you're going to start addressing as early as you potentially can, prioritize your assets for migration and your infrastructure upgrades may be necessary and the data that needs to be migrated to the new standard.
And then start looking for the partners and the solutions that are going to help you or enable that migration. Make it easier. There are already organizations out there that are beginning to build solutions that will assist in the migration of the current encryption solutions, if you will, to the new model. Don't wait.
Start working on it now. This is something that HHS ought to be saying, you know what, we need to take the lead on this. We need to put a group together. We need to involve the industry and we need to, we need to get out in front of this to make sure this isn't something that becomes a big issue for this industry.
Finally, Synergistic last year merged with another privacy and security consulting firm, Clearwater. And you've retired from day to day duties at the company. How are you keeping busy besides thinking about quantum computing? Well, this is one of the things that keeps me busy because I still very much enjoy what I've done for the last four years.
So I am looking at some of these things and I am doing things like this with you and with other folks and I'm advising different organizations. And, you know, I'm at that point where, you know, I'd like to be an advocate for our industry and for the, you know, tough work that all of our CISOs and health care are doing and have to do and our CIOs. And on top of that, I have, I have two ranches. Every day I spend time on one that I raise miniature donkeys on the other one that I raise cattle on.
And then I have six grandchildren. And after that, I don't think I have much time left. While you are keeping busy, Macken, I appreciate you taking the time to speak with me today. I've been Speaking to Mac McMillan and I'm Marianne Kobizaki of Information Security Media Group.
Thanks for joining us.