By Lee Kim JD CISSP CIPP/US, Senior Principal, Cybersecurity and Privacy, HIMSS

The Trump administration issued an executive order June 6 titled Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.

This order reshapes U.S. cybersecurity strategy by updating two foundational directives.

• Executive Order 13694 (Obama 2015) was titled Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, and it authorized U.S. sanctions — including asset freezes and transaction bans — against individuals and entities conducting significant cyberattacks from abroad. It became the basis for the Office of Foreign Assets Control, an agency of the U.S. Department of Treasury, to designate ransomware groups and other cyber threat actors.
  
• Executive Order 14144 (Biden 2025) was titled Strengthening and Promoting Innovation in the Nation’s Cybersecurity, and it expanded on prior directives by setting federal priorities for secure software development, post-quantum cryptography, supply chain risk and artificial intelligence security.

Highlights from the June 6, 2025, Executive Order

Secure Software Development

As stated in the executive order: “By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).”

• Implications for healthcare: Guidance for secure software development practices (security by design) may ultimately benefit healthcare organizations if software developers adopt these principles. Safer, more resilient systems may result instead of systems that are not always secure and may need frequent patching, which is reactive security instead of proactive security.
  

Securely and Reliably Deploying Patches and Updates

As stated in the executive order: “By September 2, 2025, the Secretary of Commerce, acting through the Director of NIST, shall updated NIST Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.”

• Implications for healthcare: Healthcare organizations and others have experienced significant cybersecurity events involving supply chain attacks. Ensuring that medical devices and other operational technology assets and information technology assets are patched and updated securely and reliably can mitigate the risk of significant supply chain attacks that have previously disrupted the healthcare and public health sector and others. In production environments like in healthcare where patient safety is a real and tangible risk, ensuring that patches and updates are safe and reliable are essential for the provision of high-quality healthcare. Many aspects of healthcare delivery are through technology from dialysis machines to others that are lifesaving or life-maintaining devices.
  

Post-quantum cryptography (PQC) Product Category List

As stated in the executive order: “By December 1, 2025, the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with the Director of the National Security Agency, shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available.”

• Why is this relevant?: An August 2023 press release from the National Security Agency as well as a Quantum Readiness Report warned that “cyber actors could target our nation’s most sensitive information now and leverage future quantum computing technology to break traditional non-quantum-resistant cryptographic algorithms. This could be particularly devastating to sensitive information with long-term secrecy requirements.”
  
• The rise of quantum computing is concerning because it has the potential to break modern encryption algorithms in place today. Post-quantum cryptography will become the de facto standard for healthcare organizations.
  

TLS 1.3 or above

As stated in the executive order: “By December 1, 2025, to prepare for transition to PQC, the Director of the National Security Agency with respect to National Security Systems (NSS), and the Director of OMB with respect to non-NSS, shall each issue requirements for agencies to support, as soon as practicable, but not later than January 2, 2030, Transport Layer Security protocol version 1.3 or a successor version.”

• Implications for healthcare: It is likely that healthcare organizations will be expected to comply with at least the same Transport Layer Protocol standard as the government. It will become the de facto standard.
  

Artificial intelligence

As stated in the executive order, “Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.”

• Implications for healthcare organizations: There is growing consensus that the best cybersecurity defenses are AI-enabled to help thwart AI-enabled cyber threats. In some cases, AI can react more quickly and with greater accuracy and precision than humans. AI has the potential to apply expert knowledge and know-how to a cybersecurity event, augmenting what a cybersecurity professional can do.
  

AI Software Vulnerability Management

As stated in the executive order: “By November 1, 2025, the Secretary of Defense, the Secretary of Homeland Security, and the Director of National Intelligence, in coordination with appropriate officials within the Executive Office of the President, to include officials within the Office of Science and Technology Policy, the Office of the National Cyber Director, and the Director of OMB, shall incorporate management of AI software vulnerabilities and compromises into their respective agencies’ existing processes and interagency coordination mechanisms for vulnerability management, including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.”

• Several federal agencies as listed above must incorporate AI software vulnerabilities and compromises into their existing vulnerability management processes, including incident tracking, response, and reporting as well as sharing indicators of compromise (IOCs) for AI systems.
  

Rules-as-Code Approach – Aligning Policies to Practice

Federal agencies such as OMB, NIST and CISA are directed to pilot a rules-as-code approach. Cybersecurity policies and guidance will be published in machine-readable form.

“Within 1 year of the date of this order, the Secretary of Commerce, acting through the Director of NIST; the Secretary of Homeland Security, acting through the Director of CISA; and the Director of OMB shall establish a pilot program of a rules-as- code approach for machine-readable versions of policy and guidance that OMB, NIST, and CISA publish and manage regarding cybersecurity,” the order states.

• Implications for healthcare organizations: Instead of manually interpreting guidance (such as NIST 800-53 controls), systems could automatically read, validate and apply those rules during audits, system builds or procurement checks. Vendors, compliance teams and others are able to work more quickly and efficiently by incorporating machine-readable guidance. Human error may be reduced by applying complex security frameworks and guidance as well as standards. This will enable healthcare organizations to have more secure deployments of systems — whether IT, OT or clinical systems. Additionally, instead of periodic audits or compliance reviews, these can potentially occur in real-time and on-demand.
  

Alignment of Investments and Priorities to improve Network Visibility and Security Controls to Reduce Cyber Risks

“Sec. 7. Aligning Policy to Practice. Agencies’ policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks. In consultation with the National Cyber Director, agencies shall take the following actions:

(a) Within 3 years of the date of this order, the Director of OMB shall issue guidance, including any necessary revision to OMB Circular A–130, to address critical risks and adapt modern practices and architectures across Federal information systems and networks.”

Federal agency policies must align investments and priorities to improve network visibility and security controls to reduce cybersecurity risks. Guidance issued by OMB and any revisions that are necessary to OMB Circular A-130 shall address critical risks and adapt modern practices and architectures across Federal information systems and networks. The new risks will likely include quantum computing, AI software vulnerabilities, and supply chain threats (based on this executive order). OMB may also potentially adopt a rules-as-code approach.”

• Implications for healthcare: Network visibility is essential to understanding what is normal for users, systems, devices and networks and what is not normal. Healthcare organizations cannot protect what they are not aware of and what they cannot see. Without adequate visibility, the risk landscape is highly variable, and healthcare organizations have a reactive security posture. Healthcare organizations will not know what incidents are occurring if they do not have the visibility. The security controls to address those risks are likely inadequate because the whole picture of the risk landscape is obscured by the lack of visibility.

United States Cyber Trust Mark

By January 4, 2027, vendors of the Federal Government are required to carry the United States Cyber Trust Mark for labeling those products such as consumer Internet-of-Things products, as defined by 47 CFR 8.203(b).

Learn more about the US Cyber Trust Mark.

• Implications for healthcare: It is likely that the United States Cyber Trust Mark may extend to the Internet of Medical Things (i.e., medical devices) and other Internet of Things devices that healthcare organizations use. The United States Cyber Trust Mark is a way for procurement teams to evaluate the safety, reliability and trustworthiness of a consumer Internet of Things product.

View examples of U.S. Cyber Trust Marks.

The Future of Healthcare

The future of healthcare depends on safety, reliable, and trustworthy systems. We need to get ahead of artificial intelligence, quantum computing, and other sophisticated threats. These technologies are opportunities for us to enable healthcare. The harms of poor cybersecurity can no longer be avoided — patient safety will be at greater risk unless we harness the technology.