Clinical Cyber Dispatch · Free Edition · Issue date: 6 July 2026
Healthcare cyber intelligence — decision brief
Critical-Now Items
5
Confirm local deployment; apply required actions
Vendor actions
5
Action cards: required action, due date, sources per card
Exploit signal
2 CISA KEV
2 also corroborated by VulnCheck; 1 VulnCheck-only item.
Data as of
6 July 2026
23:58 UTC
Retained unresolved risk remains critical; see Retained CVE Watch for closure tracking.
CISO Quick Read
Critical-Now: 5 items requiring local deployment confirmation and remediation by source due date.
CISA KEV: 2 items. 1 additional exploited item tracked outside CISA KEV (VulnCheck).
Policy / guidance updates: None new this window.
Retained watch: 32 items remain open.
Incident Watch: 0 immediate incident-response actions; 1 sector-awareness item to validate against local vendors, services, and third-party dependencies.
Decision: Validate deployment for all 5 Critical-Now products, apply the listed vendor action by the due date, and document exceptions. Escalate privacy only with local evidence of unauthorized PHI/ePHI access, use, acquisition, or disclosure. 2 items are past due.
What changed since last issue
What changed for you: 1 new Critical-Now action enters your queue this week; 3 carried-over Critical-Now actions remain open from the prior issue; 1 operational campaign also requires action. 8 current-window CVEs were scored this issue — 4 Critical-Now and 4 monitored, plus 1 operational campaign tracked separately; the Open Exposure Queue below is this week's set, separate from the retained open-risk backlog.
| New Critical-Now items: | 1 |
| Retained Critical-Now items: | 3 |
| Retained watch items still open: | 32 |
| New policy / guidance updates: | 0 |
| Incident actions: | 0 immediate incident-response actions; 1 sector-awareness item to validate locally |
- New: CVE-2026-9725 — Printcart Web to Print Product Designer for WooCommerce
Open Exposure Summary
Open exposure picture: 5 Critical-Now actions need review this week. Separately, 32 prior CVEs remain open in the retained backlog; 17 are critical and 19 carry CISA/VulnCheck KEV signal. The public issue shows the top retained re-checks, while full closure tracking remains internal.
HRS = Healthcare Relevance Score (1–100). It reflects healthcare operational relevance using clinical exposure, exploit/KEV signal, EPSS, and source authority. Each badge's tooltip lists the five axis scores (0–5). Composite = sum of (axis ÷ 5 × weight) × 100, rounded. Weights: clinical workflow 25%, patient data path 20%, medical device/OT 20%, vendor dependency 20%, identity blast radius 15%. Full rubric: HRS rubric.
Open Exposure Queue
Do first this week
- CVE-2026-45659 — Microsoft SharePoint Server [new] · HRS 52
CISA KEV; VulnCheck KEV; ACTIVE EXPLOITATION — Upgrade Microsoft SharePoint Server to fixed release(s): 16.0.19725.20280.
Validate at Admin Console → Site Settings — affected if version ≤ 16.0.12345.0
Due 2026-07-04 (FCEB expectation; healthcare benchmark) [date basis: CISA KEV entry] · Owner route: WAF/network security - CVE-2026-48558 — Simple-Help Simplehelp [new] · HRS 48
CISA KEV; VulnCheck KEV; ACTIVE EXPLOITATION — Upgrade Simple-Help Simplehelp to fixed release(s): 5.5.16.
Due 2026-07-02 (FCEB expectation; healthcare benchmark) [date basis: CISA KEV entry] · Owner route: Vulnerability management - CVE-2026-8451 — Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway [new] · HRS 80
VulnCheck KEV; ACTIVE EXPLOITATION — Upgrade Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway to fixed release(s): 13.1-37.272, 13.1-63.18, 14.1-72.61.
No source deadline · Owner route: Vulnerability management - A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands — identity surface [campaign]
initial access broker; healthcare-relevant identity surface; concrete operator action available. — For Clickfix: validate exposed identity assets.
Check CMDB, EASM, VPN/firewall inventories, identity logs, remote-access logs, and privileged-account activity for affected deployments.
No source deadline · Owner route: Start with network security or remote-access owner; include identity, SOC, vulnerability management, and change owner.
Top retained re-checks
32 retained items remain tracked; this public issue shows the top 5 re-checks.
Show the 5 re-check rows (why surfaced, action, timeline, owner route)
- CVE-2026-11645 — Google Chrome / Chromium V8 [retained]
Open exposure carried from a prior issue — KEV-listed; re-check due this week — Confirm local deployment, then apply the vendor remediation or document an exception.
No source deadline · Owner route: Vulnerability management - CVE-2026-20245 — Cisco SD-WAN vsmart controller; Cisco catalyst SD-WAN manager [retained]
Open exposure carried from a prior issue — KEV-listed; re-check due this week — Same action as CVE-2026-11645 (shared fixed releases).
No source deadline · Owner route: Vulnerability management - CVE-2026-42271 — LiteLLM [retained]
Open exposure carried from a prior issue — KEV-listed; re-check due this week — Same action as CVE-2026-11645 (shared fixed releases).
No source deadline · Owner route: Vulnerability management - CVE-2026-45247 — Mirasvit Full Page Cache Warmer [retained]
Open exposure carried from a prior issue — KEV-listed; re-check due this week — Same action as CVE-2026-11645 (shared fixed releases).
No source deadline · Owner route: Vulnerability management - CVE-2026-50751 — Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable [retained]
Open exposure carried from a prior issue — KEV-listed; re-check due this week — Same action as CVE-2026-11645 (shared fixed releases).
No source deadline · Owner route: Vulnerability management
Monitored this week
Show the 5 monitored rows (status, timeline, owner route)
- CVE-2026-9725 — Printcart Web to Print Product Designer for WooCommerce [monitored] · HRS 62
PRE-PUBLIC EXPLOIT STAGE — Patch to version 2.5.3.
Validate at WP Admin → Plugins — affected if version ≤ 2.5.2
No source deadline · Owner route: Digital front door/patient portal - CVE-2026-8452 — Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway [monitored] · HRS 64
PRE-PUBLIC EXPLOIT STAGE — Same action as CVE-2026-8451 (shared fixed releases).
No source deadline · Owner route: Vulnerability management - CVE-2026-13474 — Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway [monitored] · HRS 64
PRE-PUBLIC EXPLOIT STAGE — Same action as CVE-2026-8451 (shared fixed releases).
No source deadline · Owner route: Vulnerability management - CVE-2026-10817 — Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway [monitored] · HRS 64
PRE-PUBLIC EXPLOIT STAGE — Same action as CVE-2026-8451 (shared fixed releases).
No source deadline · Owner route: Vulnerability management - CVE-2026-10816 — Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway [monitored] · HRS 64
PRE-PUBLIC EXPLOIT STAGE — Same action as CVE-2026-8451 (shared fixed releases).
No source deadline · Owner route: Vulnerability management
How to use Critical-Now Items
Use this sequence before assigning escalation work:
- Confirm local deployment, then remediate each Critical-Now item by its due date.
- Investigate only if local telemetry indicates exploitation.
- Start HIPAA breach risk assessment only with evidence of unauthorized PHI/ePHI access, use, or disclosure.
Critical-Now Actions
Validate the 5 Critical-Now actions below, starting with internet-facing and past-due assets. Apply vendor guidance or document an exception.
Dates shown from CISA’s KEV Catalog reflect CISA remediation expectations for Federal Civilian Executive Branch agencies under BOD 26-04 (status verified 2026-07-05). Under BOD 26-04, FCEB remediation expectations may vary by asset exposure, exploit automation, technical impact, and KEV status. CCD presents these dates to healthcare organizations as remediation benchmarks; verify your own legal, contractual, and regulatory obligations. Due dates evaluated as of 2026-07-06.
Free content: priority, HRS, deadline, action, and source references. HRS uses the Healthcare Relevance Score rubric. HRS rubric.
CVE-2026-48558 — full decision card
- Product / vendor
- Simple-Help Simplehelp
- Healthcare relevance
- Healthcare relevance (Simple-Help Simplehelp): prioritize if it carries remote access for clinical, billing, or vendor workflows.
- Required action
- Upgrade Simple-Help Simplehelp to fixed release(s): 5.5.16.
Validation, owner & Source Pack
- Local validation
- confirm whether Simple-Help Simplehelp before 5.5.16 is deployed, exposed, and owned locally.
- Owner route
- Simple-Help Simplehelp service owner; then network & perimeter team, with remote-access/VPN owner and identity owner.
- Source pack
Source Pack — View sources and technical details
- NVD record — publication date not stated
- CISA KEV catalog entry — KEV catalog added 2026-06-29
- Vendor advisory — publication date not stated
- VulnCheck KEV — publication date not stated
- EPSS reference — EPSS as of 2026-07-06
- BOD 26-04 directive — publication date not stated
Last verified: 6 July 2026 07:06 ET (6 July 2026 11:06 UTC)
Scope note: Priority signals: CISA KEV, VulnCheck KEV, vendor source; product: Simple-Help Simplehelp.
Fixed version(s)
- 5.5.16
CVE-2026-45659 — full decision card
- Product / vendor
- Microsoft SharePoint Server
- Healthcare relevance
- Healthcare relevance (Microsoft SharePoint Server): prioritize if patient portals, scheduling, or payment flows depend on it.
- Required action
- Upgrade Microsoft SharePoint Server to fixed release(s): 16.0.19725.20280.
Validation, owner & Source Pack
- Local validation
- confirm whether Microsoft SharePoint Server before 16.0.19725.20280 is deployed, exposed, and owned locally.
- Owner route
- Microsoft SharePoint Server service owner; then web/digital platform owner, with marketing IT and hosting vendor.
- Source pack
Source Pack — View sources and technical details
- NVD record — publication date not stated
- CISA KEV catalog entry — KEV catalog added 2026-07-01
- Vendor advisory — publication date not stated
- VulnCheck KEV — publication date not stated
- EPSS reference — EPSS as of 2026-07-06
- BOD 26-04 directive — publication date not stated
Last verified: 6 July 2026 07:06 ET (6 July 2026 11:06 UTC)
Scope note: Priority signals: CISA KEV, VulnCheck KEV, vendor source; product: Microsoft SharePoint Server.
Fixed version(s)
- 16.0.19725.20280
CVE-2026-8451 — full decision card
- Product / vendor
- Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway
- Healthcare relevance
- Healthcare relevance (Citrix Netscaler Application): prioritize if it carries remote access for clinical, billing, or vendor workflows.
- Required action
- Upgrade Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway to fixed release(s): 13.1-37.272, 13.1-63.18, 14.1-72.61.
Validation, owner & Source Pack
- Local validation
- confirm whether Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway before 13.1-37.272, from 13.1 before 13.1-63.18, from 14.1 before 14.1-72.61 is deployed, exposed, and owned locally.
- Owner route
- Citrix Netscaler Application Delivery Controller service owner; then network & perimeter team, with remote-access/VPN owner and identity owner.
- Source pack
Source Pack — View sources and technical details
- NVD record — published 30 June 2026
- Vendor advisory — publication date not stated
- VulnCheck KEV — publication date not stated
- EPSS reference — EPSS as of 2026-07-05
Last verified: 6 July 2026 07:06 ET (6 July 2026 11:06 UTC)
Scope note: Priority signals: VulnCheck KEV, vendor source; product: Citrix Netscaler Application Delivery Controller; Citrix Netscaler Gateway.
Fixed version(s)
- 13.1-37.272, 13.1-63.18, 14.1-72.61
CVE-2026-9725 — full decision card
- Product / vendor
- Printcart Web to Print Product Designer for WooCommerce
- Healthcare relevance
- Healthcare relevance (Printcart Web to): validate whether the vendor touches PHI/ePHI, care delivery, billing, or operational continuity.
- Required action
- Validate whether Printcart Web to Print Product Designer for WooCommerce is installed in the affected version range identified by the source.
Validation, owner & Source Pack
- Local validation
- confirm whether Printcart Web to Print Product Designer for WooCommerce Versions up to and including 2.5.2 is deployed, exposed, and owned locally.
- Owner route
- Printcart Web to Print Product Designer for WooCommerce service owner; then vendor risk management, with the internal business owner of the service.
- Source pack
Source Pack — View sources and technical details
- Primary source — publication date not stated
- EPSS reference — EPSS as of 2026-07-05
Last verified: 6 July 2026 07:06 ET (6 July 2026 11:06 UTC)
Scope note: Priority signals: NVD/vendor review; product: Printcart Web to Print Product Designer for WooCommerce.
Fixed version(s)
- 2.5.3
A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites — full decision card
- Product / vendor
- Clickfix
- Healthcare relevance
- Healthcare relevance (Clickfix): validate whether the vendor touches PHI/ePHI, care delivery, billing, or operational continuity — here via identity.
- Required action
- For Clickfix: validate exposed identity assets.
Validation, owner & Source Pack
- Additional action detail
- Then rotate potentially exposed credentials or sessions, enforce MFA, restrict management access, review logs for anomalous access, and apply vendor hardening or upgrade guidance where applicable.
- Local validation
- Check CMDB, EASM, VPN/firewall inventories, identity logs, remote-access logs, and privileged-account activity for affected deployments. No breach response requirement without local evidence of unauthorized access to PHI/ePHI.
- Owner route
- Clickfix service owner; then vendor risk management, with the internal business owner of the service.
- Source pack
Source Pack — View sources and technical details
- ClickFix Social Engineering Technique is the Leading Method for Malware Delivery — publication date not stated
Last verified: 2026-07-06 19:58 ET
Scope note: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites affecting Clickfix. initial access broker; healthcare-relevant identity surface; concrete operator action available.
Retained Open-Risk Backlog — highest-priority re-checks (32 open, top 3 shown)
32 prior CVEs remain open in the retained backlog. This public issue shows the highest-priority re-checks only; full closure tracking remains internal. 32 previously covered CVEs remain open — 17 critical, 15 high priority, 19 on the CISA/VulnCheck KEV lists. The remaining 29 open items are tracked for you and will resurface here on a material change or an approaching deadline.
CVE-2026-11645 — Google Chrome / Chromium V8 Critical · KEV
Still matters: Open known exploitation (KEV) + critical severity with clinical endpoint exposure; unresolved until the fix is confirmed deployed.
Re-check: Re-check managed browser fleet versions and force-update shared clinical endpoints for Google Chrome / Chromium V8, then close it out or record an accepted exception.
Fix: 149.0.7827.103.
CVE-2026-20245 — Cisco SD-WAN vsmart controller; Cisco catalyst SD-WAN manager Critical · KEV
Still matters: Open known exploitation (KEV) + critical severity with third-party service dependency; unresolved until the fix is confirmed deployed.
Re-check: Re-check the vendor's remediation attestation and your contract's patch obligations for Cisco SD-WAN vsmart controller, then close it out or record an accepted exception.
Fix: Fixed-release or mitigation guidance is documented in the CISA/Cisco source; verify the affected train and apply the Cisco fixed release for the deployed train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2) or the required mitigation.
CVE-2026-42271 — LiteLLM Critical · KEV
Still matters: Open known exploitation (KEV) + critical severity with PHI-adjacent AI middleware exposure; unresolved until the fix is confirmed deployed.
Re-check: Re-check gateway versions, review query logs, and rotate provider keys if exposure cannot be excluded for LiteLLM, then close it out or record an accepted exception.
Fix: 1.83.7.
Landscape Watch
Sector read
Incident Watch carries sector incident awareness this week — items to monitor and validate against your own vendors and services. Vendor advisory watch: no reader action this week.
Named actor and tooling watch
Actor/tooling items are shown here as bounded Landscape Watch context. They become current healthcare alerts only when this window includes an HPH-sector source, healthcare victim, or healthcare-specific campaign evidence.
Background SOC context
These items are retained as low-prominence SOC context. They are not current healthcare alerts unless this window includes healthcare victim, HPH-sector, or campaign-specific evidence.
- Akira — background SOC context. Generic activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
- Cobalt Strike — background SOC context. Generic IOC activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
Medical device / OT watch: No material healthcare OT/ICS or medical-device signal crossed the action threshold this week.
Healthcare Incident Watch — sector incident awareness
No verified material healthcare incident action item cleared this week. The items below are sector awareness from cited sources — items to monitor and validate locally.
Almost 30,000 Texas Residents Affected by Data Breach at The Texas Hearing Institute
What happened: As reported by The HIPAA Journal: The Texas Hearing Institute has notified the Texas Attorney General about a data breach impacting more than 29, 000 state.
Source: The HIPAA Journal (Reporting — published 6 July 2026)
Why it matters & what to validate
Why healthcare should care: Patient data taken from The Texas Hearing Institute feeds targeted phishing and fraud against the affected population and its care providers.
What to monitor or validate: Search vendor and account inventories for The Texas Hearing Institute; if present, watch for the official notice and validate credentials and data flows touching them.
Primary source status: primary-notice retrieval attempted and logged (source unreachable)
Validate locally: Treat as secondary-source awareness until corroborated by an official notice or local evidence.
Privacy boundary for the items above: awareness only — do not initiate breach response or patient notification from these reports without local evidence.
Sector Readiness / Industry Guidance Watch
Non-binding healthcare-sector guidance and readiness events are shown here when current or future-dated source material changes planning, participation, or sector-awareness decisions.
Operation Vital Signs
Organizer: HSCC
Event date(s): July 21-22, 2026
Status: Consider participation / readiness planning
Reader action: Route to security, incident response, emergency management, privacy/legal, and clinical operations leaders if tabletop participation or lessons learned apply.
Regulatory & Privacy
What we are watching
No new binding rule, OCR enforcement action, FDA cybersecurity notice, or federal cyber-reporting deadline crossed the action threshold this window.
Standing watch: CIRCIA final rule timing, HIPAA Security Rule modernization, Health Care Cybersecurity and Resiliency Act movement, OCR settlement patterns, FDA medical-device cybersecurity, HHS HC3 sector alerts, CISA KEV healthcare exposure, and federal AI policy that changes healthcare vendor diligence.
This week: Use the quiet week to keep incident-reporting roles, breach-assessment evidence capture, and vendor/device cyber documentation current.
Regulatory action this week: None. No material movement this window; the standing watch continues.
Standing watchlist (no changes) · 11 items
No standing item changed a deadline, owner, privacy posture, or security action this week.
Standing watch: 8 federal actions; 3 state or international items. No item requires reader action this week.
Standing watch reference — 11 named items (expand for status; full fields in the regulatory watch export)
- CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act — Final rule pending; CISA NPRM published 2024-04; comment period closed 2024-07. Healthcare designated as cover · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: Mandatory 72-hour cyber incident reporting and 24-hour ransomware payment reporting for covered healthcare entities once the final rule takes effect. - HIPAA Security Rule update (NPRM 2024) — NPRM published Federal Register 2025-01-06. Final rule timeline not yet announced. Adds explicit MFA, encrypti · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: First substantive HIPAA Security Rule update in over a decade — closes longstanding gaps around MFA, vulnerability management, and incident-response evidence wo - Health Care Cybersecurity and Resiliency Act of 2025 — Reported / not final. Senate companion under HELP Committee review. Provides authorities for HHS-CISA coordina · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: Would codify mandatory minimum cybersecurity standards for healthcare and authorize HHS-CISA cyber incident coordination — the closest thing to a sector-wide cy - OCR HIPAA enforcement and incident-reporting activity — Routine OCR enforcement and reporting updates monitored. Watch for resolution agreements citing security-rule · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: OCR settlements reveal which control failures are actively being penalized — direct input into your control-prioritization roadmap. - FDA medical-device cybersecurity guidance & safety communications — FDA pre-market cybersecurity guidance (2023) in effect. Watch for SaMD AI/ML cyber guidance and post-market vu · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: Vendor must demonstrate cybersecurity in pre-market submission. Post-market FDA safety communications can drive emergency clinical-engineering action. - HHS HC3 / sector cyber alerts — Routine sector alerts and threat briefs monitored. Higher-frequency advisories during active campaign periods. · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: HC3 issues healthcare-specific TTP intel (ransomware groups targeting clinics, telehealth-specific threats) often days ahead of industry coverage. - CISA KEV additions affecting healthcare-deployed software — Tracked daily. Healthcare-relevant additions surface in the Open Exposure Queue as Critical-Now. · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: CISA KEV addition signals CISA remediation expectations for FCEB agencies under the current KEV directive (runtime-verified from official CISA sources) and a st - White House / OMB / NIST / CAISI AI policy affecting healthcare — Active. Federal AI policy posture is shifting; watch for AI executive orders, NIST AI RMF updates, and CAISI e · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: Federal AI governance defines what evaluations, evidence, and assurances healthcare AI vendors must produce — direct procurement and validation impact. - Washington My Health My Data Act — State health-data privacy law in force. Watch for enforcement activity and vendor-contract implications involv · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: Healthcare-adjacent apps, digital front doors, marketing pixels, and wellness programs can create state-law privacy exposure even when HIPAA does not apply. - California CPPA / CCPA health-data privacy enforcement — State privacy enforcement monitored for health-data, tracking-technology, and vendor-processing implications. · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: Large health systems with California patients or web properties need a view of privacy notices, tracking tech, and service-provider obligations outside HIPAA. - EU AI Act / NIS2 healthcare supplier exposure — International regulatory posture monitored for multinational health systems and suppliers serving EU-regulated · last change: no date stated · no date stated · status: watch · source
Why healthcare cares: EU AI and cyber-resilience obligations can affect vendor due diligence, clinical AI assurance, and supplier security evidence for global healthcare organization
Standing-watch methodology and canonical source list: /methodology/.
Retained Regulatory & Privacy Watch — 5 prior tracked items
Promoting Advanced Artificial Intelligence Innovation and Security
Action this week: Standing regulatory/privacy watch item
Health Sector Publishes Updated Cybersecurity Model Contract
Action this week: Standing regulatory/privacy watch item
Health Industry Cybersecurity Recommendations for Government Policy and Programs
Action this week: Standing regulatory/privacy watch item
Health Sector Publishes Previews to AI Cybersecurity Guidances
Action this week: Standing regulatory/privacy watch item
Health Industry AI Cybersecurity Governance Framework Implementation Guide
Action this week: Standing regulatory/privacy watch item
Last verified: 6 July 2026 11:00 UTC
Regulatory Watch is informational and does not replace legal advice or your organization’s counsel-led regulatory analysis.
AI & Clinical Automation Watch
Editorial read
No new AI-infrastructure CVE crossed the action threshold this window. 1 previously covered AI-infrastructure item remains open and tracked in the Retained CVE Watch.
This week: Work retained AI gateway exposure from the Retained CVE Watch: verify fixed versions, validate exposure, and rotate provider keys if compromise cannot be ruled out.
AI Watch shows items with a concrete decision or action for healthcare organizations. Other AI policy, acquisition, and governance signals appear when they require reader action.
No material AI policy, infrastructure, agentic, or vendor activity this window. Standing watch covers White House / OMB / NIST / CAISI / Commerce / FDA / HSCC / MITRE ATLAS / OWASP LLM / Health-ISAC.
AI Infrastructure Watch: No separate federal AI policy or clinical automation action crossed threshold this week.
Sources monitored (click to expand)
White House Presidential Actions, OMB AI memoranda, NIST / CAISI, Department of Commerce AI, Federal Register, FDA medical-device cyber, HHS OCR HIPAA + AI guidance, ASTP/ONC, Congress, MITRE ATLAS, MITRE Secure AI, OWASP LLM Top 10, AVID, HSCC AI Cybersecurity + Third-Party AI Risk Guide, Health-ISAC, AHA, and major foundation-model provider security blogs (OpenAI, Anthropic, Microsoft, Google, AWS, Hugging Face).
Trending tactics: no healthcare-specific AI attack pattern crossed threshold this week; continue watching prompt injection, tool-permission abuse, exposed model gateways, and vendor features using patient context.
AI Action This Week
- If AI gateways may handle PHI, confirm BAA review, PHI-redaction, audit logging, and human-in-the-loop controls.
- Inventory agentic AI deployments; require tool allowlists and prompt-injection testing before clinical-workflow expansion.
Issue data exports
Export files activate at publication; draft review uses staged/local artifacts.
- Ai Clinical Automation Watch (CSV)
- Ai Clinical Automation Watch (JSON)
- Critical Now (CSV)
- Critical Now (JSON)
- Incident Watch (CSV)
- Incident Watch (JSON)
- Open Exposure Queue (CSV)
- Open Exposure Queue (JSON)
- Regulatory Watch (CSV)
- Regulatory Watch (JSON)
- Retained Backlog Summary (CSV)
- Retained Backlog Summary (JSON)
Methodology
8 CVEs analyzed · 2 CISA KEV items; 2 also corroborated by VulnCheck; 1 VulnCheck-only item. Methodology and limitations are collapsed; standing methodology is available at /methodology/.
Public issue methodology is summary-only to preserve the decision-brief reading path.
Sources used this window include NVD, CISA KEV, VulnCheck KEV, EPSS, healthcare incident sources, and regulatory watch data.
Breach Notification Trigger Framework: CVE presence alone is not a breach assessment; escalate only with local evidence of exploitation, unauthorized access, or PHI/ePHI exposure.
Full standing methodology: /methodology/.