Post-quantum cryptography (PQC) isn’t just an emerging trend—it’s a growing concern for medical device manufacturers navigating long product lifecycles, evolving threats, and tightening regulatory expectations.
With quantum computing poised to break today’s cryptography, and the FDA requiring robust cryptographic protections throughout a device’s lifespan, the time to prepare is now.
The Regulatory Context: Future-Proofing Through Crypto-Agility
The FDA’s 2023 Premarket Cybersecurity Guidance and Section 524B of the FD&C Act require medical device submissions to demonstrate "reasonable assurance" that cybersecurity protections - like encryption and authentication - will remain effective over time. This includes:
- Using strong cryptographic algorithms for confidentiality, integrity, and authentication
- Designing systems that support updates and adaptability as threats and standards evolve
- Documenting how these protections are applied and maintained over the product lifecycle
While post-quantum algorithms are not yet required, regulators expect manufacturers to plan for cryptographic evolution - especially for devices expected to remain in the field for 10+ years.
Failing to build in cryptographic flexibility today could result in future regulatory delays, costly redesigns, or postmarket vulnerability exposure.
Why It Matters to Medical Devices
Medical devices face unique risks when it comes to long-term cryptographic resilience:
- 10–15+ year field lifespans make them vulnerable to future decryption threats
- Heavy reliance on encryption for secure boot, remote monitoring, updates, and data protection
- Ultra-low-power hardware limits the ability to retrofit compute-heavy crypto later
If static algorithms like RSA or ECC are hardcoded today, your device could be functionally secure now - but obsolete later.
What is PQC?
PQC refers to cryptographic algorithms designed to remain secure even against the power of a large-scale quantum computer. In July 2022, the National Institute of Standards and Technology (NIST) has already selected new standards:
- FIPS 203 (CRYSTALS-Kyber) for key exchange
- FIPS 204 (CRYSTALS-Dilithium) for digital signatures
- FIPS 205 (SPHINCS+) as a conservative, hash-based signature scheme
These algorithms are being standardized now and will form the cryptographic foundation for the future - including in regulated industries like healthcare.
Connecting PQC to the FDA’s SPDF Framework
Implementing cryptographic agility and planning for PQC aligns with several key elements in the FDA’s 2023 Premarket Cybersecurity Guidance:
Security Risk Management
Threat modeling and cryptographic assessments should consider the long-term viability of algorithms in use - particularly for legacy crypto (RSA, ECC) that may be deprecated.
Security Architecture
Designs should enable modular cryptographic libraries and secure update pathways so future algorithms can be implemented without full system redesign.
Cybersecurity Testing
PQC algorithms can place greater demands on memory and compute resources. Testing must verify device performance, compatibility with third-party components, and usability under cryptographic load.
Documentation and Transparency
While not required, some manufacturers are adopting Cryptographic Bills of Materials (CBOMs) - a companion to the SBOM - to document:
- What algorithms and key lengths are in use
- How they are applied in the system
- Whether and how they can be updated
CBOMs are not explicitly required by the FDA, but they are becoming a best practice to demonstrate cryptographic visibility and lifecycle planning.
Postmarket Surveillance
The FDA expects ongoing monitoring of cybersecurity threats - and cryptographic protections are no exception. Crypto-agility helps you respond to emerging risks without waiting for product recalls or field failures.
What Should You Do Today?
You don’t have to implement PQC tomorrow - but you do need to start building in flexibility. Here’s where to begin:
- Know your cryptography: Inventory the algorithms, key sizes, and use cases in your system
- Document your cryptographic posture: Consider a CBOM to organize and communicate your crypto strategy internally and externally
- Build crypto agility into architecture: Use modular libraries and support secure updates
- Align with FDA documentation expectations: Reference FDA guidance in your submission, showing how your system anticipates cryptographic change
- Work with experienced partners: Post-quantum readiness requires deep knowledge of constrained systems, cryptographic integration, and regulatory nuance
Looking Ahead
The shift to quantum-safe cryptography is underway - even if it’s not yet mandated. By starting now, manufacturers can future-proof their devices, minimize regulatory friction, and build trust in long-term product security.
Up Next: How Post-Quantum Readiness Aligns with FDA Expectations for Medical Devices
In our next post, we’ll break down what FDA reviewers actually look for, how post-quantum planning fits into a secure-by-design strategy, and how proactive cryptographic flexibility can streamline your submission.
).png)
.png)
