Long-lived data, quantum risk: harvest-now-decrypt-later in biomedical research

The most dangerous thing about some data is how long it stays sensitive. Genomic sequences, long-term clinical trial data, and medical IP can carry confidentiality lifespans measured in decades. Against the harvest-now-decrypt-later (HNDL) threat model, that longevity turns a future technology risk into a present governance decision.

This is a published intelligence brief, not legal or medical advice. Claims are tied to named sources, with a snapshot date below.

The threat model: why “later” is a present problem

Harvest-now-decrypt-later is a documented threat scenario in which an adversary captures encrypted data today — at relatively low cost — and stores it against the day when a cryptographically relevant quantum computer (CRQC) exists to decrypt it. Current quantum-vulnerable encryption algorithms, including RSA and elliptic-curve cryptography, can be broken by a CRQC running Shor’s algorithm.

The critical variable is data shelf-life. If the confidentiality value of a dataset will outlast the time between now and the emergence of a CRQC, that dataset is at risk today. Uncertainty about exactly when fault-tolerant quantum hardware will arrive does not reduce that risk — it affects only the window available to act.

Why biomedical research is a sharp case

Biomedical research data sits at a unique intersection of three factors that amplify quantum risk:

Long confidentiality lifespans. A genomic sequence does not become less sensitive over time — if anything, the interpretive value of genomic data increases as analytical capabilities improve. Clinical trial results have regulatory, IP, and scientific significance for decades. Research archives routinely contain datasets protected for 30, 50, or more years.

Irreversibility. Unlike a leaked password, a genomic sequence cannot be changed. Re-identification of nominally de-identified genomic data has been demonstrated in peer-reviewed research and is not hypothetical. A patient cannot consent again after their genomic identity has been exposed; the harm is permanent.

Consent and trust obligations. Research participants consent to their data being used and protected under specific conditions. The confidentiality commitments embedded in that consent are not conditional on the current state of cryptographic technology. If the systems holding that data are quantum-vulnerable, the institution is carrying an obligation it may not be able to honor.

The Hippocratic Quantum framework

Quentir’s Hippocratic Quantum framework — developed in the founder’s peer-reviewed work and grounded in the principles of responsible quantum innovation — names three governance anchors specifically relevant to biomedical quantum-AI contexts:

Consent: Quantum-enabled capabilities, including enhanced data-mining and re-identification, interact with the consent framework under which research data was collected. Governance should assess whether the consent obtained is compatible with current and near-future quantum-AI capabilities applied to that data.

Irreversibility: In biomedical contexts, harms from data exposure are often irreversible. The governance standard for irreversible-harm risks is higher than for reversible ones — precautionary posture, earlier migration, documented rationale for any delay.

Translational discipline: Quantum technologies are being applied to biomedical research — drug discovery, protein folding, genomic analysis — before their safety and security implications are fully understood. Governance should include explicit assessment of where quantum-enhanced capabilities interact with data not originally collected under a quantum-risk assumption.

What to assess now

What long-lived sensitive data do we hold in quantum-vulnerable systems? The starting point is a data inventory ranked by two dimensions: sensitivity (re-identification risk, IP value, regulatory status) and longevity (how long this data must remain confidential). Data that scores high on both dimensions is the priority population for PQC migration planning.

What is the current cryptographic posture of our research data stores? This requires an inventory of the encryption algorithms protecting long-lived datasets, and a gap analysis against current PQC standards (NIST FIPS 203/204/205). Many research institutions operate legacy infrastructure — data repositories, archival systems, secure enclaves — that has not been updated to reflect the NIST finalization.

Who owns migration accountability? In a research institution, data governance often sits across multiple domains — the CISO, the research data office, the ethics committee, and the PIs who collected the data. A migration plan for long-lived research data requires a named owner at the institutional level, not distributed responsibility across research programs.

How Quentir reads it

Quentir’s intelligence work maps the HNDL threat model, the Hippocratic Quantum governance framework, and the PQC migration calendar to dated, named sources — readiness material for research leadership, ethics bodies, and boards. It is not legal or medical advice on any specific situation.

Sources: NIST FIPS 203/204/205 (Aug 2024); Hippocratic Quantum framework (peer-reviewed, Mauritz Kop); HNDL threat documentation (NSA, ENISA); re-identification literature. Snapshot date: June 2026.

This brief is published intelligence produced by Quentir Systems LLC. It does not constitute legal, medical, or regulatory advice and creates no advisory or client relationship. Consult qualified advisers for advice specific to your organization’s situation.