Electronic health records (EHRs) are foundational to modern healthcare delivery in the United States. They support clinical documentation, billing, quality reporting, public health surveillance, and research. As their volume, sensitivity, and longevity increase, security has become a central operational and policy concern. In response, a new generation of quantum-relevant security technologies is being pursued to strengthen EHR protections against both current cyber threats and the longer-term risk posed by cryptographically relevant quantum computers. These technologies include post-quantum cryptography (PQC) resistant to attacks from future quantum computers and quantum technology-based approaches such as quantum key distribution (QKD) and layered architectures that integrate PQC and QKD.
This report examines the potential role of quantum-relevant technologies in sharing and securing medical data, with a focus on EHR systems. It assesses technical readiness, market structure, regulatory context, and implementation challenges. The analysis distinguishes between near-term approaches and more infrastructure-intensive options such as QKD, which may be better suited to specialized use cases in the U.S. EHR market.
The immediate next steps for healthcare data security will come from adoption of PQC. Federal standardization of post-quantum encryption schemes and deprecation of existing encryption schemes for federal systems by 2035 have reduced technical uncertainty and provided a clear incentive for staged migration of nonfederal systems. This transition will require enterprises to undertake coordinated planning; an inventory of cryptographic assets; and modernization of legacy systems across the heterogeneous healthcare IT environment.
By contrast, near-term deployment of QKD in support of EHR exchange is likely to be more limited. The U.S. healthcare ecosystem is decentralized, resource-constrained, and characterized by limited interoperability. Infrastructure-level security upgrades that require coordinated adoption across multiple independent entities are likely to proceed cautiously and selectively. QKD may prove valuable for specific site-to-site connections, tightly controlled research data transfers, or federal health systems, but market conditions and the lack of a regulatory mandate make widespread near-term deployment across the broader U.S. healthcare ecosystem unlikely. Ultimately, QKD may be an optional feature offered by existing telecommunications companies to hospital systems and other healthcare providers.
International comparisons illustrate how market structure and the governance of healthcare systems influence the feasibility of adoption. Countries with more centralized healthcare systems and telecommunications infrastructure are better positioned to pilot quantum-secure networking approaches at scale. These cases provide insight into possible implementation pathways, but they do not eliminate the structural realities of the U.S. market.
Long-term progress will be accelerated by treating PQC and related quantum-safe measures as part of a layered cybersecurity modernization strategy for healthcare, rather than alternative stand-alone initiatives. Policy levers such as standards development, procurement guidance, and targeted incentives may influence the pace of adoption. However, technological feasibility alone will not determine outcomes: institutional structure, economic incentives, regulatory clarity, and the extent to which EHR systems are interoperable and consistently exchange usable data will shape the trajectory of quantum-safe EHR deployment.