Medical records protected for decades — from DICOM to telehealth APIs

University hospital with ~4 PB of DICOM images (X-ray, CT, MRI) accumulated over 12 years. Requirement: minimum 25-year retention for pediatrics, 5 years for adults, and immediate clinician access.

Traditional storage encrypted with AES-256 + key wrapped by RSA-2048. Q-Day breaks RSA and exposes symmetric keys.

PUCE Archive creates signed manifests (Ed25519 today, Dilithium3 migration on SDK upgrade) pointing to blobs already in R2. Lossless compression applied before upload (typical 18-42% savings on DICOM). Periodic automatic verification guarantees integrity. Keys wrapped with ML-KEM-1024 via PQSL.

Video-consultation SaaS platform. 40k physicians, 2M patients, data subject to GDPR (EU) and nLPD (CH). Peaks of 8k concurrent sessions.

Current TLS 1.3 uses ECDHE-X25519 for handshake — breakable by a quantum computer. Audio/video stream can be harvested by state MITM and decrypted retrospectively.

PUCE Stream with PQSL-encrypted segments (ML-KEM-768 hybrid X25519+Kyber handshake). PQSL middleware in front of Express API maintains rate-limit + PQC headers. Consultation records go to PUCE Archive (7-year legal retention).

Consortium of 6 European hospitals sharing WGS/WES datasets (3-10 GB per patient) for cancer studies. Pseudonymised but still re-identifiable data.

SFTP sharing with classical SSH keys. Files in cold cloud storage encrypted with AES-GCM and RSA-wrapped master key.

PUCE Storage as collection layer (short-TTL presigned URLs). PUCE Archive per study with signed file list, allowing "patient in study" audit. Per-researcher access tokens derived via ML-KEM — each researcher has a short rotatable key.