The Swedish healthcare sector is facing a technological shift that could change the rules of the game for information security. Quantum computers, which in the future may be able to crack today’s encryption, pose a long-term threat to the protection of sensitive data, such as health data.
At the same time, quantum technology opens the door to groundbreaking medical research and drug development. It is not a question of if the technology will arrive, but when. It is also a complex issue of how to manage the balance between innovation and security. What is clear, however, is that leaders within Sweden’s healthcare sector need to act now, before the threat becomes a reality.
A new report from RISE in collaboration with the Swedish E-health Agency, funded by Vinnova, states that time is short. The strategy hackers are already using is called "harvest now, decrypt later," which involves collecting encrypted data today to decrypt it once quantum computers become powerful enough. The decrypted information can then be used for purposes such as blackmail. For health data, which retains its value throughout an individual’s lifetime, this could be an existential threat.
"The greatest threat is not technical uncertainty but passivity, and decision-makers need to become aware of this. There are no finalized standards yet, but there are basic standards for post-quantum cryptography, PQC, which means the work can begin, and it needs to be done now. If we wait to start until everything is in place, we risk falling several years behind," says Michael Popoff, senior researcher in quantum technologies at RISE.
The report points out that crucial decisions need to be made now, ahead of new procurements and within management teams. The framework agreements signed during 2026 will determine whether systems are equipped with PQC by 2030, when the EU requires them to be. PQC consists of classical, non-quantum-based algorithms designed to withstand attacks from quantum computers. In other words, requirements for PQC readiness must be introduced immediately.
"We are seeing a development where security requirements are taking an increasingly prominent place in public procurement. This gives public actors a strategic opportunity to steer the market," says Åse Lundh Gravenius, senior researcher and legal expert.
She emphasizes that it may be necessary to have the ability to exclude suppliers for security reasons. But the issue is not just technical; it is also organizational and ethical. Quantum resilience must be anchored at the management level and integrated into risk management.
"The solutions are there, the technology is there, so let’s talk about it. This is not an IT issue, but a management issue. Health data are stories of people's lives, collected under trust. Protecting them is not just a legal obligation but also a social responsibility," says Michael Popoff.
The report suggests that Sweden quickly develops a technical reference document for quantum resilience within the healthcare sector before international standards are in place. Economic incentives, such as time-limited support for inventories and migration plans, can give municipalities and regions the capacity to act. Knowledge management and communication are crucial to awakening the will to act.
"We must see the synergies. There are clear overlaps between the measures required for quantum resilience and the processes now following from NIS2 and EHDS. It’s not about new resources, but about smart coordination and a high pace," says Åse Lundh Gravenius.
The message is clear: the threat is in the future, but the time to act is now. The path toward quantum resilience today is about using existing steering instruments strategically, such as procurement, executive management, and coordination with other regulations.
In a newly started Vinnova project led by RISE, researchers will now investigate how to implement the transition to quantum-secure solutions for health data. The project works with case studies and in working groups representing different actors in the ecosystem. The idea is to prepare actors handling health data, both private and public, for the migration to quantum-secure IT systems that will be required. The project concludes at the end of 2028, and the goal is then to have a secured transition to quantum-secure solutions for the healthcare sector by 2030.
Read the full report (pdf, in Swedish) Framtidens hot, dagens beslut - policy för kvantsäkra hälsodata
