Glyphward

Healthcare radiology AI · PACS-linked triage · Diagnostic imaging AI

Prompt injection in healthcare radiology AI

Radiology AI platforms occupy one of the highest-stakes positions in clinical AI deployment: they influence time-critical decisions about stroke treatment, pulmonary embolism intervention, and cancer screening priority. Aidoc’s AI triage platform, used in hundreds of health systems, analyses DICOM images uploaded from CT and MRI scanners to flag critical findings — intracranial haemorrhage, PE, aortic dissection — and re-prioritise worklists for radiologists. Viz.ai’s AI platform performs similar critical finding detection and routes stroke alerts directly to on-call neurovascular teams. Nuance PowerScribe 360 and its successor DAX Copilot integrate AI dictation assistance directly into radiologist workflow — the AI assistant sees the study images alongside the radiologist and generates draft report language. Intelerad’s medical imaging platform and iCAD’s AI for mammography screening process images uploaded through PACS integrations, teleradiology submission portals, and screening clinic workflows. The adversarial image injection threat to these platforms does not require attacking the radiology scanner or the PACS server — it requires submitting an image through any of the legitimate upload pathways those platforms already expose, containing pixel-level payloads that manipulate AI triage priority scores, suppress critical finding flags, or inject false language into AI dictation drafts. Patient safety, clinical liability, and HIPAA compliance are all implicated when adversarial images corrupt radiology AI outputs upstream of radiologist review. This page covers four injection surfaces, why they are structurally under-defended, and how Glyphward’s pre-scan gate addresses the threat before adversarial content reaches the clinical AI system.

TL;DR

Radiology AI platforms — Aidoc, Viz.ai, Nuance PowerScribe, Intelerad, iCAD — process uploaded DICOM images, PACS-linked study metadata images, teleradiology second-read submissions, and mammography screening scans through AI models that produce triage priorities, critical finding alerts, and AI-assisted report drafts. Adversarially crafted images submitted through these pathways can suppress critical finding flags, corrupt triage prioritisation, and inject false dictation content before radiologist review. Glyphward scans each image at the ingestion boundary with a threshold of ≥ 50 for AI triage inputs (strictest tier, patient safety) and ≥ 55 for screening and teleradiology. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in healthcare radiology AI

1. DICOM image injection before AI triage prioritisation (Aidoc, Viz.ai)

Aidoc and Viz.ai process DICOM image sets automatically as they arrive from hospital PACS and CT/MRI scanners. The AI triage models analyse each study for critical findings — intracranial haemorrhage, pulmonary embolism, large vessel occlusion — and assign a priority score that re-orders the radiologist worklist. An adversarially crafted DICOM image — a study in which individual pixel values have been perturbed below the threshold of visual detection by a reviewing clinician — can be submitted through any PACS-connected upload path: a referring physician uploading outside images via the DICOM web endpoint, a teleradiology vendor submitting studies for second-read, or a portable scanner sending studies to the AI triage queue. The perturbation targets the AI triage model’s confidence on the critical finding classifier: a crafted image in which a real intracranial haemorrhage is present can be perturbed to reduce AI confidence below the flagging threshold, causing the study to be deprioritised in the radiologist worklist. Conversely, a study with no critical finding can be perturbed to exceed the AI confidence threshold, causing a false critical alert that floods the alert system with noise and delays response to genuine findings. In high-volume emergency radiology environments, where AI worklist prioritisation is the primary mechanism for surfacing critical findings to the on-call radiologist, either perturbation type has direct patient safety consequences. The attack does not require compromising the AI vendor’s infrastructure — it requires only the ability to submit a DICOM image through a pathway that the triage platform already monitors, which in most health system deployments includes multiple referring institution upload paths, portable device endpoints, and teleradiology submission interfaces.

2. PACS-linked study metadata image injection into AI radiologist assistants (Nuance PowerScribe, DAX Copilot)

Nuance PowerScribe 360 and DAX Copilot integrate with PACS to present images alongside the AI-generated dictation assistance interface. The AI assistant processes the study images — alongside structured metadata fields that include patient demographics, referring physician notes, clinical indication, and prior study comparisons — to generate draft report language. The PACS metadata fields are populated from HL7 order messages, DICOM headers, and referring physician notes that arrive through multiple upstream systems: EHR order interfaces, radiology information system (RIS) feeds, and DICOM worklist providers. Adversarial injection at the metadata layer can corrupt the AI dictation assistant’s report draft: a referring physician note field or a clinical indication field in the HL7 message that contains adversarial text payload can instruct the AI assistant to generate report language that suppresses a finding, attributes a clinical finding to the wrong cause, or fabricates a comparison with a prior study. Unlike pixel-level image injection — which requires perturbing the medical image itself — metadata-layer injection exploits the AI assistant’s multimodal inputs: the model processes both the image and the associated text context, and adversarial content in any text field can redirect the AI’s report generation. This is precisely the indirect prompt injection pattern documented in research on multimodal LLMs: the adversarial instruction arrives not directly from the operator (the radiologist) but from an indirect channel (the referring physician note or order metadata) that the AI assistant trusts as contextual input. The impact is a corrupted AI draft that the radiologist may review and sign under time pressure, particularly in high-volume worklist environments where AI-assisted dictation is explicitly designed to accelerate throughput.

3. Teleradiology second-read platform image submission injection

Teleradiology platforms — Radiology Partners, NightHawk Radiology, vRad (now Intelerad), StatRad, and Global Diagnostics — receive DICOM images submitted by hospitals for after-hours and subspecialty second-read coverage. These platforms increasingly integrate AI-assisted triage tools (often Aidoc or Viz.ai embedded via API) to pre-process studies before assignment to the remote radiologist. The teleradiology submission pathway is structurally the most accessible injection surface: studies are submitted by a wide range of referring hospitals and clinics, many with limited IT security controls, over HL7 DICOM web endpoints or DICOM send (C-STORE) connections. An adversarially crafted CT or MRI study submitted from a referring facility — or through a compromised DICOM sender credential — passes through the teleradiology platform’s AI pre-processing before reaching the remote radiologist’s reading queue. The AI triage layer’s output — priority score, critical finding flags, worklist position — is the first clinical output the teleradiology platform produces from the study; a suppressed critical finding flag here delays the study reaching a subspecialty reader in time for interventional action. For stroke and PE studies submitted to a teleradiology service covering a rural emergency department with no on-site radiologist, the delay introduced by a suppressed AI critical alert is not an administrative inconvenience — it is a clinical safety event with direct patient harm potential. Stroke intervention windows (tPA within 4.5 hours, thrombectomy within 24 hours for selected patients) make worklist deprioritisation directly consequential at time horizons measurable in minutes.

4. Mammography and screening AI adversarial image bypass (iCAD, Hologic Genius AI)

Mammography screening AI — iCAD’s ProFound AI, Hologic Genius AI, Screenpoint Medical Transpara, Volpara Density AI, and Lunit INSIGHT MMG — analyses screening mammograms to assign lesion suspicion scores, identify calcification clusters, and measure breast density. These AI tools operate in two modes: integrated with the full-field digital mammography (FFDM) acquisition system at screening clinics, or as standalone AI second-reader platforms that receive studies submitted through DICOM from screening facilities for batch AI analysis. The standalone second-reader pathway is the injection surface: studies are submitted from screening facilities — often community health centres, mobile mammography units, and smaller breast health clinics — and processed by the AI before human radiologist review. An adversarially crafted mammography image — in which sub-pixel perturbations have been applied to specific regions corresponding to known lesion patterns in the training data — can cause the AI suspicion classifier to assign a low confidence score to a region containing a genuine suspicious calcification cluster, suppressing the AI’s flag and deprioritising the study in the radiologist’s reading queue. At population screening scale — where AI-assisted reading is explicitly deployed to manage reader fatigue and prioritise studies in high-volume batch reading sessions — a systematic bias introduced by adversarial submissions across a screening batch can affect a meaningful fraction of studies before any single flagging anomaly is detected. MQSA and FDA 510(k) AI device regulatory frameworks require documented performance validation but do not mandate adversarial image detection at the submission boundary — leaving the injection surface unaddressed in most deployed screening AI implementations.

Integration: radiology AI image ingestion with Glyphward pre-scan

Radiology AI ingestion typically happens as a DICOM listener (C-STORE SCP) that receives studies and routes them to the AI processing queue. Insert Glyphward’s pre-scan at the ingestion boundary — before the study reaches the AI triage model — by exporting the DICOM pixel data as PNG or JPEG for scanning, then forwarding the original DICOM only if the scan clears. The RadiologyAIContext enum tags the audit record with the clinical context:

import asyncio
import base64
import hashlib
import io
import os
import uuid
from enum import Enum
from pathlib import Path

import httpx

# Install pydicom for DICOM pixel extraction: pip install pydicom pillow
try:
    import pydicom
    from PIL import Image as PILImage
    PYDICOM_AVAILABLE = True
except ImportError:
    PYDICOM_AVAILABLE = False

GLYPHWARD_API_KEY = os.environ["GLYPHWARD_API_KEY"]
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Strictest threshold: AI triage for critical findings (stroke, PE, ICH).
# Patient safety consequence of a false negative is direct and immediate.
THRESHOLD_AI_TRIAGE_CRITICAL = 50
# Screening AI (mammography, chest X-ray): population-level consequence,
# slightly higher tolerance for computational reasons, still strict.
THRESHOLD_SCREENING_AI = 55
# Teleradiology second-read and AI dictation assistant: structured review
# follows AI output, threshold set conservatively.
THRESHOLD_TELERADIOLOGY = 55


class RadiologyAIContext(str, Enum):
    AI_TRIAGE_CRITICAL = "ai_triage_critical"        # Aidoc, Viz.ai stroke/PE/ICH
    PACS_DICTATION = "pacs_dictation"                # PowerScribe / DAX Copilot
    TELERADIOLOGY_SECOND_READ = "teleradiology"      # vRad, NightHawk, StatRad
    SCREENING_AI = "screening_ai"                    # iCAD, Hologic Genius AI


def _threshold_for(context: RadiologyAIContext) -> int:
    if context == RadiologyAIContext.AI_TRIAGE_CRITICAL:
        return THRESHOLD_AI_TRIAGE_CRITICAL
    if context == RadiologyAIContext.SCREENING_AI:
        return THRESHOLD_SCREENING_AI
    return THRESHOLD_TELERADIOLOGY


def _dicom_to_png_bytes(dicom_path: str | Path) -> bytes:
    """Extract pixel data from DICOM and return as PNG bytes for scanning."""
    if not PYDICOM_AVAILABLE:
        raise ImportError("pydicom and Pillow required: pip install pydicom pillow")
    ds = pydicom.dcmread(str(dicom_path))
    arr = ds.pixel_array
    # Normalise to 8-bit for scanning (preserve spatial structure)
    arr_min, arr_max = arr.min(), arr.max()
    if arr_max > arr_min:
        arr = ((arr - arr_min) / (arr_max - arr_min) * 255).astype("uint8")
    else:
        arr = arr.astype("uint8")
    img = PILImage.fromarray(arr)
    buf = io.BytesIO()
    img.save(buf, format="PNG")
    return buf.getvalue()


async def scan_radiology_image(
    image_source: str | Path | bytes,   # DICOM path, PNG path, or raw bytes
    context: RadiologyAIContext,
    study_uid_hash: str,                # SHA-256 of DICOM StudyInstanceUID — no PHI
    modality: str,                      # e.g. "CT", "MR", "MG", "CR"
    client: httpx.AsyncClient,
) -> dict:
    """
    Scan a radiology image for adversarial injection payloads before forwarding
    to an AI triage, dictation, or screening AI platform.

    study_uid_hash must be SHA-256 of StudyInstanceUID only — do not include
    patient name, DOB, MRN, or any PHI in audit records (HIPAA minimum necessary).
    """
    if isinstance(image_source, (str, Path)):
        p = Path(image_source)
        if p.suffix.lower() == ".dcm":
            image_bytes = _dicom_to_png_bytes(p)
        else:
            image_bytes = p.read_bytes()
    else:
        image_bytes = image_source

    image_b64 = base64.b64encode(image_bytes).decode()
    image_sha256 = hashlib.sha256(image_bytes).hexdigest()
    scan_id = str(uuid.uuid4())
    threshold = _threshold_for(context)

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json={
            "image": image_b64,
            "source": context.value,
            "metadata": {
                "modality": modality,
                "study_uid": study_uid_hash,   # SHA-256 hash — no direct PHI
                "radiology_context": context.value,
                "client_scan_id": scan_id,
                "image_sha256": image_sha256,
            },
        },
        timeout=8.0,
    )
    resp.raise_for_status()
    result = resp.json()

    audit_record = {
        "study_uid": study_uid_hash,
        "modality": modality,
        "radiology_context": context.value,
        "scan_id": result["scan_id"],
        "client_scan_id": scan_id,
        "image_sha256": image_sha256,
        "score": result["score"],
        "flagged_region": result.get("flagged_region"),
        "threshold": threshold,
        "action": "blocked" if result["score"] >= threshold else "allowed",
    }
    await write_radiology_audit_record(audit_record)

    if result["score"] >= threshold:
        raise AdversarialRadiologyImageError(
            f"Radiology image blocked [{context.value}]: "
            f"scan_id={result['scan_id']} score={result['score']} "
            f"modality={modality} study={study_uid_hash}"
        )
    return result


async def write_radiology_audit_record(record: dict) -> None:
    """Persist audit record to your HIPAA-compliant audit log store (stub)."""
    import json, sys
    # Replace with your BAA-covered audit store write
    print(json.dumps(record), file=sys.stderr)


class AdversarialRadiologyImageError(Exception):
    """Raised when a radiology image exceeds the adversarial injection threshold."""
    pass

The study_uid_hash field carries only the SHA-256 of the DICOM StudyInstanceUID — no patient name, date of birth, MRN, or accession number. This is the minimum necessary PHI approach required under HIPAA for audit log records transmitted to third-party services. Glyphward’s API agreement includes a BAA template for covered entity and business associate relationships. Get early access

Coverage matrix

Control DICOM triage injection PACS metadata / dictation injection Teleradiology submission injection Mammography screening AI bypass
Text-only PI scanner (Lakera, LLM Guard) No — pixel payloads not seen Partial — catches text field injection only No — pixel payloads not seen No — pixel payloads not seen
DICOM de-identification tools (deid, CTP) No — removes PHI from headers, not adversarial pixels Removes text PHI from headers; no AI payload detection No — header-only de-identification No — header-only de-identification
Manual radiologist review Sub-pixel payloads invisible at clinical display resolution Adversarial text in structured fields rarely reviewed directly High volume; sub-pixel payloads imperceptible Not scalable at population screening volume
Glyphward Yes — threshold 50, strictest; scan_id + HIPAA-safe audit Yes — pixel + text metadata scanning; scan_id provenance Yes — threshold 55; study_uid_hash audit trail Yes — threshold 55; modality-tagged audit record

Related questions

Does scanning DICOM images with a third-party API create HIPAA exposure?

Yes, and the integration pattern above is designed to minimise that exposure. Under HIPAA, sending a DICOM image to any third-party service for processing requires a Business Associate Agreement (BAA) with that service. Glyphward’s API agreement includes a BAA template. Beyond the BAA, the integration pattern above explicitly limits what PHI is transmitted: the study_uid_hash field is the SHA-256 of the StudyInstanceUID only — no patient name, date of birth, MRN, or accession number. The image bytes themselves are the DICOM pixel data extracted as a normalised PNG — they contain the pixel array but not the DICOM header fields that carry PHI (patient demographics, referring physician, institution). The de-identification step — extracting pixel data without header PHI before API submission — means the scan request does not constitute a PHI transmission in the HIPAA sense. For the strictest compliance posture, apply your existing DICOM de-identification workflow (CTP, deid, or in-house) to the pixel extraction step before calling the Glyphward scan endpoint. The resulting scan request contains no direct PHI, only pixel data and a pseudonymous study identifier — the same data class you would transmit to a cloud AI model for de-identified research processing.

Can adversarial DICOM images really bypass AI triage models in clinical deployments?

Academic research on adversarial attacks against medical imaging AI is substantial and growing. Finlayson et al.’s 2019 Science paper demonstrated that adversarial perturbations could systematically manipulate AI diagnostic outputs on chest X-ray and retinal imaging classifiers, with perturbation magnitudes below clinical radiologist detection thresholds. Ma et al. and subsequent groups showed that Aidoc-class AI triage architectures — convolutional neural network ensembles fine-tuned on specific finding classes — are susceptible to targeted PGD and FGSM attacks that shift confidence scores by 20–40 percentage points with sub-pixel perturbations. The deployed clinical AI systems — Aidoc, Viz.ai — use internal model versions that are not publicly disclosed, but the architectural class (CNN + attention heads) matches the academic target domain closely enough that demonstrated attack transferability from published models is a reasonable lower bound for the real-world risk. The clinical risk model is different from the benchmark-comparison framing in academic papers: it does not require the attack to succeed on every image or every architecture — it requires the attack to succeed on enough images, in the right clinical context (emergency radiology, after-hours teleradiology), to delay intervention in time-critical cases. A 15% suppression rate on ICH flags — achievable with published attack methods against CNN-class models — in a high-volume after-hours teleradiology environment translates to a meaningful number of cases where AI deprioritisation delays radiologist attention past the critical treatment window.

Does the FDA’s AI/ML SaMD framework address adversarial image attacks?

The FDA’s 2021 AI/ML-Based Software as a Medical Device (SaMD) Action Plan and the 2023 predetermined change control plan (PCCP) guidance focus primarily on post-market performance monitoring, algorithmic drift, and bias. Adversarial robustness — the ability of an AI SaMD to resist deliberate perturbation attacks — is not explicitly required in current 510(k) or De Novo submissions for radiology AI devices. The FDA’s medical device cybersecurity guidance (2023 final guidance, updated for software devices) addresses cybersecurity of the device software and network communication, but does not specifically require adversarial input testing as a pre-market condition. This creates a regulatory gap: a radiology AI device can receive 510(k) clearance based on validated diagnostic performance on clean datasets without any demonstrated adversarial robustness. The gap is known — FDA has engaged with the adversarial ML research community and the ACR Data Science Institute on this topic — but no mandatory adversarial testing requirement exists as of mid-2026. Health systems deploying AI-cleared radiology SaMD are therefore responsible for their own supply-chain security controls at the DICOM ingestion boundary, which is precisely the layer where Glyphward’s pre-scan operates. Documenting that pre-scan gate as a compensating control in your AI risk management file (ISO 14971) provides an auditable record that the organisation took reasonable steps to address the adversarial image threat that cleared SaMD validation does not cover.

How does adversarial injection differ between Aidoc and Viz.ai architecturally?

Both Aidoc and Viz.ai use deep learning architectures applied to volumetric CT data, but their AI deployment models differ in ways that affect the injection surface. Aidoc’s platform operates as a “passive AI” layer alongside the PACS — it receives a copy of every study from the DICOM router and generates a priority flag that modifies the radiologist worklist without blocking study delivery to the radiologist. This means an adversarial image that successfully suppresses Aidoc’s flag still reaches the radiologist — but in a lower worklist position that may result in a longer time-to-read. Viz.ai’s critical finding pathway for LVO stroke is more active: a Viz.ai alert triggers a push notification to the on-call neurovascular team (interventional neurology, vascular surgery) before the radiologist has formally reported the study, creating a communication pathway that depends on the AI alert functioning correctly. A suppressed Viz.ai LVO alert means the neurovascular team does not receive a pre-read alert — even if the radiologist subsequently identifies the finding, the parallel time saved by the AI-triggered early activation is lost. The injection surface for both platforms is similar — the DICOM study submitted to the AI processing queue — but the clinical consequence of a suppressed flag differs: Aidoc suppression delays worklist prioritisation, Viz.ai suppression eliminates the pre-read team activation that is the primary clinical value proposition for stroke intervention. Both warrant the strictest scanning threshold (50) given their patient safety stakes.

Further reading