Why Healthcare Is the Primary Target
Healthcare data is the most valuable data category in existence for adversaries pursuing long-timeline intelligence operations. A stolen credit card number has a useful lifespan measured in hours. A stolen Social Security number might be valuable for years. But a stolen medical record—containing diagnoses, genetic information, mental health history, substance abuse records, and sexual health data—is sensitive for the lifetime of the patient, and often beyond.
This is not a theoretical concern. The healthcare industry has already demonstrated what happens when attackers gain access to medical systems:
- Change Healthcare (2024): The UnitedHealth Group subsidiary suffered a breach that disrupted healthcare payments across the entire United States. The attack affected billing systems for hospitals, pharmacies, and clinics nationwide. The total economic impact exceeded $22 billion when accounting for delayed payments, remediation costs, and downstream effects.
- Anthem Inc. (2015): 78.8 million patient records stolen, including names, dates of birth, Social Security numbers, and medical IDs. The breach went undetected for over a year.
- HHS Breach Portal: The Department of Health and Human Services tracks healthcare breaches affecting 500+ individuals. Over 5,000 breaches have been reported since 2009, affecting over 500 million individuals total.
The pattern is clear: healthcare data is high-value, systems are chronically under-secured, and the impact of breaches is catastrophic for patients and organizations alike. HIPAA penalties alone can reach $2.1 million per violation category per year, with criminal penalties of up to 10 years imprisonment for willful neglect.
What HIPAA Actually Requires (and Where It Falls Short)
The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes standards for protecting electronic protected health information (ePHI). The encryption requirements are specified in two key sections:
45 CFR 164.312(a)(2)(iv) — Encryption at Rest
Covered entities must implement a mechanism to encrypt and decrypt ePHI when it is stored. This is classified as an "addressable" implementation specification, meaning organizations must implement it or document why it is not reasonable and appropriate (and implement an equivalent alternative measure). In practice, every major healthcare organization encrypts data at rest with AES-256.
45 CFR 164.312(e)(2)(ii) — Encryption in Transit
Covered entities must implement a mechanism to encrypt ePHI whenever it is transmitted over an electronic communications network. Again, "addressable" in specification but universal in practice. TLS 1.2 or 1.3 is the standard implementation.
The Processing Gap: What HIPAA Does Not Address
Here is the critical gap that most healthcare CISOs and compliance officers have never confronted: HIPAA says nothing about encryption during processing.
When a clinical decision support system queries patient records, it must decrypt the data to perform the computation. When a billing system matches claims to patient demographics, the data is decrypted in memory. When a research platform runs analytics across a patient cohort, every record in that cohort is decrypted on the server.
During processing, ePHI exists in plaintext in server memory. It is accessible to anyone with root access to the server, anyone who can exploit a memory disclosure vulnerability, and any insider threat with sufficient privileges. Encryption at rest protects the disk. Encryption in transit protects the wire. Nothing in HIPAA protects the computation.
This is the gap that Fully Homomorphic Encryption (FHE) closes.
How FHE Closes the Processing Gap
Fully Homomorphic Encryption allows computations to be performed directly on encrypted data without ever decrypting it. The result of the computation is also encrypted—only the holder of the decryption key can read the output. At no point during processing does the data exist in plaintext.
H33's BFV FHE engine (H33-128) implements this capability with production-grade performance. Here is what it enables for healthcare:
H33-MedVault: Query Encrypted Patient Records
H33-MedVault allows healthcare organizations to query patient databases without decrypting the records. A physician searching for "patients with HbA1c > 7.0 and eGFR < 60" can execute that query against encrypted data. The server that processes the query never sees the lab values, never sees the patient identifiers, never has access to any plaintext ePHI.
The implications for compliance and security are profound:
- No plaintext exposure during queries: Even if the server is compromised, the attacker obtains only ciphertext. The data is mathematically protected, not policy-protected.
- No insider threat during processing: Database administrators, system administrators, and cloud provider employees cannot access patient data because it is never decrypted on the server.
- Breach notification changes: Under HIPAA, encrypted data that is accessed without authorization is not considered a breach if the encryption key was not also compromised (the "safe harbor" provision in 45 CFR 164.402). FHE extends this safe harbor to data during processing, not just at rest.
Performance That Works in Clinical Settings
The historical criticism of FHE has been performance. Early FHE implementations were millions of times slower than plaintext operations, making them impractical for any real-world use. H33 has eliminated this barrier.
H33's BFV implementation uses SIMD batching to process 32 patient records in a single ciphertext operation. With an N=4096 polynomial degree and a single 56-bit modulus, each batch operation completes in 939 microseconds. At scale on AWS Graviton4 infrastructure, this translates to 2.17 million verifications per second—more than sufficient for any healthcare workload, from single-clinic EHR queries to national-scale claims processing.
| Operation | H33 FHE Latency | Plaintext Equivalent | Overhead |
|---|---|---|---|
| Patient record lookup | ~1.2 ms | ~0.05 ms | 24x |
| Batch biometric auth (32 users) | ~1.2 ms | ~0.1 ms | 12x |
| Cohort query (1000 patients) | ~38 ms | ~2 ms | 19x |
| Aggregate analytics | ~5 ms | ~0.3 ms | 17x |
A 12-24x overhead over plaintext computation is a real cost, but it is well within the latency budgets of clinical systems. An EHR query that takes 1.2 ms instead of 0.05 ms is imperceptible to the clinician. The security gain—mathematical privacy vs. policy-based privacy—is worth orders of magnitude more than 1.15 ms.
Post-Quantum Authentication for Healthcare
Beyond FHE for data processing, healthcare organizations need quantum-resistant authentication. Every login to an EHR system, every API call between hospital systems, every identity verification for a patient portal—these all rely on digital signatures and key exchange that are vulnerable to quantum attacks.
H33-Health provides HIPAA-compliant, post-quantum authentication using:
- ML-KEM (FIPS 203) for key encapsulation in session establishment—replacing ECDH in TLS handshakes between healthcare systems
- ML-DSA (FIPS 204) for digital signatures on authentication tokens, prescription signing, and inter-system API authentication
- FHE-based biometric matching for patient identity verification without exposing biometric templates in plaintext
- STARK zero-knowledge proofs for verifying patient eligibility and coverage status without revealing the underlying patient data
Mathematical Privacy vs. Policy-Based Privacy
This is the fundamental paradigm shift that healthcare needs to understand. Traditional HIPAA compliance is policy-based privacy: you write access control policies, enforce role-based permissions, audit access logs, and hope that the combination of administrative, physical, and technical safeguards prevents unauthorized access. When those safeguards fail—as they inevitably do—the data is exposed.
FHE and post-quantum cryptography provide mathematical privacy: the data is protected by the hardness of mathematical problems (lattice problems for PQC, Learning With Errors for FHE) that cannot be defeated by policy failures, insider threats, server compromises, or quantum computers. The protection is not dependent on access controls working correctly. It is inherent in the mathematics.
| Threat | Policy-Based (Traditional) | Mathematical (H33 FHE + PQC) |
|---|---|---|
| Insider with root access | Can read all data in memory | Sees only ciphertext; no decryption key on server |
| Server compromise | Full data exposure | Encrypted data only; computations happen on ciphertext |
| Cloud provider access | Can access data at rest and in transit endpoints | Cannot access data even during processing |
| Quantum computer | All RSA/ECC-encrypted data decryptable | Lattice-based encryption remains secure |
| Harvest-now-decrypt-later | All intercepted data at risk | PQ algorithms resist future quantum decryption |
| HIPAA safe harbor | Only applies to data at rest and in transit | Extends to data during processing (FHE) |
The Compliance Advantage
Organizations that deploy FHE and post-quantum cryptography gain a significant compliance advantage beyond meeting minimum HIPAA requirements:
- OCR enforcement: The HHS Office for Civil Rights has increasingly focused on encryption failures in enforcement actions. Demonstrating encryption during processing (not just at rest and in transit) positions your organization ahead of the regulatory curve.
- State privacy laws: California (CCPA/CPRA), Washington (My Health My Data Act), and other state laws impose additional requirements on health data processing. FHE satisfies these requirements by ensuring data is never exposed during computation.
- Cyber insurance: Insurers are beginning to differentiate premiums based on post-quantum readiness. Understanding the cost of post-quantum migration is essential for budget planning. Organizations that can demonstrate PQC deployment may qualify for lower premiums as quantum risk pricing becomes standard.
- Patient trust: As quantum computing becomes mainstream public awareness, patients will ask how their data is protected. "Your data is encrypted even during processing, using quantum-resistant algorithms" is a competitive differentiator.
- Future-proofing: When HHS eventually updates HIPAA's Security Rule to address quantum threats (an update that is widely expected but not yet published), organizations already running PQC will face zero compliance disruption.
Getting Started
H33 provides healthcare-specific solutions through three products:
- H33-MedVault: Encrypted search and query over patient databases using BFV FHE. Query ePHI without decryption.
- H33-Health: Post-quantum patient authentication with FHE-based biometric matching and ML-DSA signed credentials.
- H33 PQC Platform: Full ML-KEM and ML-DSA implementation for all inter-system communication, API authentication, and data encryption.
All three products are available through a single API with credit-based pricing and a free tier. SOC 2 Type II, HIPAA, and ISO 27001 compliance is maintained at 100% in Drata.
The sensitivity window for healthcare data is measured in decades. The quantum threat window is measured in years. The gap between those timelines is closing. The organizations that act now will protect their patients. The organizations that wait will explain to regulators and patients why they did not.