HC3 TLP White: Monthly Cybersecurity Vulnerability Bulletin May 6, 2022

Executive Summary

In April 2022, vulnerabilities in common information systems relevant to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for this month are from Microsoft, Adobe, Android, Google, Apple, CISCO, Mozilla, Oracle, SAP, SonicWall, and VMWare. HC3 recommends patching all vulnerabilities with special consideration to each vulnerability criticality category against the risk management posture of the organization.

Importance to HPH Sector


In April, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) added 22 vulnerabilities to their Known Exploited Vulnerabilities Catalog.

This effort is driven by Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, which established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the US federal enterprise.

Vulnerabilities that are entered into this catalog are required to be patched by their associated deadline by all US executive agencies. While these requirements do not extend to the private sector, HC3 recommends all healthcare entities review vulnerabilities in this catalog and consider prioritizing them as part of their risk mitigation plan. The full database can be found here.

View the detailed report below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272