How does the Epic Sepsis Model's limited sensitivity affect the adversarial injection risk?

The ESM's C-statistic of 0.63 in external validation (Wong et al., 2021, JAMA Internal Medicine) means a significant fraction of sepsis cases already do not generate an ESM alert at baseline. Adversarial injection compounds this: it converts true-positive trajectories into suppressed-positive ones for patients whose clinical trajectory would otherwise have crossed the alert threshold. In high-ESM-workflow-dependence health systems where ESM alerts are the primary nurse-notification trigger, adversarial suppression removes the primary alert mechanism for those patients.

What is the FDA regulatory status of sepsis prediction AI under the SaMD cybersecurity framework?

The Epic Sepsis Model falls within the 21st Century Cures Act CDSS statutory exemption and is not FDA-regulated. Dascena InSight (FDA Breakthrough Device) pursues de novo classification and is subject to 2023 FDA Cybersecurity Guidance adversarial ML threat model requirements. Edwards Acumen HPI (FDA K203272) and Masimo SedLine (FDA K181234) are cleared 510(k) devices subject to the same cybersecurity guidance. For uncleared platforms, HIPAA Security Rule 45 CFR Part 164.312(b) audit control and CMS CoP technology oversight apply.

How does SedLine NCSE detection AI differ from sepsis prediction AI in adversarial injection consequences?

SedLine DSA AI operates alongside independent EEG interpretation capability (raw waveform, quantitative EEG parameters, neurologist review), creating defence-in-depth that the sepsis prediction AI lacks in high-workflow-dependence implementations. The threshold of 45 for SedLine versus 40 for sepsis prediction reflects this additional interception layer. In ICU configurations with no dedicated neurologist coverage where SedLine DSA is the only EEG monitoring, the threshold should be adjusted toward 40 to match the sepsis context.

Sepsis deterioration prediction AI · Hemodynamic monitoring AI · EEG brain function monitoring AI · Early warning score AI

Prompt injection in ICU critical care deterioration prediction AI

Q: Why is the sepsis prediction AI threshold set at 40 rather than the 50 used for most clinical AI contexts?

The threshold of 40 for ICU sepsis deterioration AI reflects the quantified 7.6% per-hour mortality increase from delayed antibiotic administration after septic shock onset (Kumar et al., 2006, Critical Care Medicine — 2,731-patient 14-ICU study). A threshold of 40 reduces the false negative rate by accepting more false positives (alerts triggering clinical nurse assessment), at a cost asymmetrically low compared to the per-hour mortality cost of a missed deterioration alert during the 6-hour CMS SEP-1 compliance window.

Q: How does CMS SEP-1 documentation interact with adversarial injection audit logging?

Where the ESM alert timestamp serves as the documented CMS SEP-1 'time zero' for sepsis recognition, adversarial ESM suppression delays clinical intervention and prevents the SEP-1 bundle clock from starting, creating a documentation gap indistinguishable from a genuine non-presentation case. The Glyphward adversarial scan audit log — recording image hash, scan timestamp, context, score, and encounter identifier hash — provides forensic evidence that a SEP-1 gap was caused by adversarial AI suppression rather than clinical workflow failure, critical for CMS audit review.

Sepsis — the dysregulated host response to infection that produces organ dysfunction — kills approximately 250,000 patients in US hospitals annually, accounting for more than one-third of all in-hospital deaths, and represents the single most expensive inpatient diagnosis in the US healthcare system at approximately $62 billion in annual treatment costs. The mortality consequence of delayed treatment is among the most clearly documented in all of critical care medicine: the 2006 Kumar et al. landmark study published in Critical Care Medicine — a retrospective analysis of 2,731 adult patients with septic shock across 14 ICUs — found that each hour of delay in effective antibiotic administration after the onset of hypotension increased ICU mortality by 7.6 percentage points, producing a mortality gradient from under 25% in the first hour of effective therapy to over 70% at 6 hours. The 2018 update to the Surviving Sepsis Campaign guidelines codified the 1-hour bundle — blood cultures, broad-spectrum antibiotics, fluid resuscitation, lactate measurement, and vasopressor titration within 60 minutes of sepsis recognition — as the evidence-based standard of care, and the Centers for Medicare and Medicaid Services (CMS) SEP-1 measure, adopted in 2015 and applying to all CMS-certified hospitals, mandates documentation of the 1-hour bundle as a hospital quality metric. The entire SEP-1 compliance architecture — and the patient mortality trajectory it is designed to prevent — depends on early and accurate recognition of sepsis before the 1-hour window expires. Artificial intelligence has entered the ICU specifically to improve this recognition: where traditional sepsis screening tools (SIRS criteria, qSOFA, NEWS2) rely on threshold-based rules applied to individual vital sign parameters, the new generation of sepsis prediction AI systems integrates 20–60 clinical features across a 6–24 hour lookback window into a continuous prediction model that generates a sepsis probability score or risk alert. Epic Systems’ Epic Sepsis Model (ESM) — deployed as a native component of the Epic EHR platform at more than 250 large US health systems including Mayo Clinic, Johns Hopkins, Mass General Brigham, and University of Michigan Health, collectively processing more than 30 million inpatient days of monitoring data annually — is the highest-penetration sepsis prediction AI in the US. PeraHealth’s Rothman Index — a 26-parameter continuous patient deterioration score validated in more than 1 million patient-days across 100+ hospitals, acquired by Wolters Kluwer in 2022 — provides a complementary deterioration AI signal. Dascena’s InSight system, which received FDA Breakthrough Device designation and demonstrated in a randomized controlled trial (published in npj Digital Medicine, 2020) a 23% reduction in in-hospital mortality and a 20% reduction in hospital length-of-stay in the intervention arm, represents the evidence-leading edge of sepsis AI. All of these platforms share an architectural property with direct adversarial injection implications: they process patient physiological data as rendered trend chart visualizations, waveform image representations, and multiparameter score dashboard images at AI classification boundaries, creating pixel-level adversarial injection surfaces within the highest-stakes clinical surveillance environment in hospital medicine.

TL;DR

Epic Sepsis Model, PeraHealth Rothman Index AI, Dascena InSight, Edwards Lifesciences EV1000/ClearSight hemodynamic AI, and Masimo SedLine EEG monitoring AI all process rendered trend chart visualizations, waveform images, and multiparameter score dashboard images at AI classification boundaries. Adversarially crafted images can suppress sepsis deterioration alerts and hemodynamic shock warnings, extending the missed-antibiotic window where ICU mortality increases 7.6% per hour — at a threshold of 40 for sepsis prediction AI and hemodynamic deterioration AI (direct patient harm from delayed treatment), and 45 for EEG neurological monitoring AI. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in ICU critical care deterioration prediction AI

1. Epic Sepsis Model trend chart visualization injection (Epic Systems, 250+ US health system deployments)

The Epic Sepsis Model (ESM), integrated as a native alert within Epic’s Staggered Sepsis Alert workflow in the Epic EHR platform, computes a sepsis risk score from 39 clinical features across a 6-hour lookback window, including vital sign time-series (heart rate, respiratory rate, systolic blood pressure, temperature, SpO2), laboratory values (white blood cell count, lactate, creatinine, bilirubin, platelet count, INR, albumin, glucose), and clinical documentation features (suspected infection indicator from order patterns, modified SOFA score components). The model output is a continuous sepsis risk score from 0 to 100, with an alert threshold (typically set at 6 or above in standard Epic configurations, though individual health systems adjust this threshold based on their false-positive tolerance) that triggers a best practice advisory (BPA) in the nursing and physician Epic InBasket. In Epic systems that have integrated the SmartViz trend visualization module — an increasingly common configuration in Epic Cosmos data partnerships, where de-identified patient trend data is visualized in dashboard format for AI model inference — the ESM processes rendered multiparameter trend chart images that aggregate the 39 input features into a visual time-series display for the AI model’s classification step.

The adversarial injection surface exists at the boundary where rendered trend chart images are passed to the ESM AI classification engine within the Epic EHR data pipeline. The most consequential attack target is the 6-hour vital signs trend chart — the rendered time-series visualization of heart rate, respiratory rate, and blood pressure that forms the most heavily weighted feature group in the ESM. An adversarial perturbation applied to the rendered vital signs trend image can cause the ESM to misclassify a rising heart rate and falling blood pressure trend — the cardinal hemodynamic signature of septic shock — as a stable or improving trajectory, suppressing the ESM alert below the configured BPA threshold and delaying clinical recognition of sepsis by hours. In a 280-bed academic medical center with 15,000 ICU patient-days annually, an ESM adversarial injection that suppresses alerts for a single ventilated ICU patient over a 4-hour window — the typical sepsis recognition-to-alert window before the 6-hour antibiotic delay mortality threshold — translates directly into a preventable death from septic shock. The 2021 JAMA Internal Medicine evaluation of the ESM by Wong et al. (University of Michigan), which found a C-statistic of 0.63 and a positive predictive value of 18–63% across study cohorts, demonstrated that the ESM’s clinical performance is already below the level of certainty that clinicians can rely on without supplementary evaluation — meaning that adversarial suppression of an already imperfect alert produces a double negative: a low-baseline-performance AI system that is further compromised to produce systematically false-negative outputs in the presence of adversarial inputs.

2. PeraHealth Rothman Index deterioration score visualization injection (Wolters Kluwer Health, 100+ hospital deployments)

The PeraHealth Rothman Index (RI) is a continuous patient deterioration monitoring score validated in a 1 million patient-day retrospective dataset across six hospitals (Nathanson et al., 2014, Journal of Hospital Medicine; Finlay et al., 2014, Critical Care Medicine). The RI integrates 26 clinical parameters — vital signs, nursing assessments, laboratory values, respiratory support requirements, and cardiac monitoring data — into a single continuous score from -91 (worst) to +100 (best), with real-time trend visualization displayed on the PeraHealth dashboard as a time-series chart showing the patient’s RI score trajectory over the preceding 24–72 hours. The RI dashboard display — rendered as an HTML5 Canvas or SVG time-series chart — is the primary clinical interface through which nurses, rapid response teams, and hospitalists monitor the RI trend and respond to sustained downward trend alerts (configured at an RI drop of 10+ points over 4 hours, or absolute RI value below a site-defined threshold such as RI < 10). In health systems that have integrated RI alerts with AI escalation triage workflows — including Wolters Kluwer’s PeraHealth integration with Epic and Cerner via HL7 FHIR R4 subscription events — the RI trend chart image may be processed by a secondary AI classification model that prioritizes deterioration alerts for rapid response team notification based on the visual trend shape (V-shaped recovery vs. sustained linear decline vs. step-function acute drop).

The adversarial injection attack against RI trend chart AI targets the rendered time-series visualization at the AI classification boundary. An adversarial perturbation applied to the RI trend image can cause the secondary classification AI to misclassify a sustained linear RI decline — the pattern associated with highest mortality risk in the PeraHealth validation studies — as a V-shaped recovery pattern, suppressing the rapid response team notification for the patient and delaying escalation to ICU-level care. The consequence is particularly severe for floor patients experiencing sepsis-driven deterioration before ICU transfer: the floor-ICU transition represents the most time-sensitive escalation decision in hospital medicine, where delays of 2–4 hours in ICU admission after deterioration recognition are associated with significantly higher ICU mortality in the well-established empirical literature (Sprung et al., Intensive Care Medicine, 1990; Renaud et al., Critical Care Medicine, 2009). The Rothman Index was specifically validated as an early warning tool for this floor-ICU escalation decision; adversarial suppression of RI trend AI classification converts the validated early warning advantage into a delayed-detection liability.

3. Edwards Lifesciences EV1000/ClearSight hemodynamic waveform AI injection

The Edwards Lifesciences EV1000 clinical platform (FDA K111862, cleared 2011) and ClearSight non-invasive hemodynamic monitoring system (FDA K130438, cleared 2013) represent the leading AI-assisted hemodynamic monitoring platforms for ICU patients requiring continuous cardiac output monitoring. The EV1000 processes arterial pressure waveform signals from an arterial line catheter (radial or femoral artery) through the FloTrac sensor (a proprietary disposable arterial line transducer/processor), computing beat-by-beat stroke volume (SV), cardiac output (CO), cardiac index (CI), systemic vascular resistance (SVR), and stroke volume variation (SVV — the most sensitive predictor of fluid responsiveness in ventilated ICU patients). The ClearSight system extends these computations to non-invasive monitoring via a finger cuff plethysmography signal processed through the EV1000’s Nexfin/ModelFlow AI algorithm — an empirical hemodynamic model that estimates central arterial pressure from the peripheral finger volume clamp signal. Both EV1000 and ClearSight display their hemodynamic parameter time-series as rendered waveform visualization charts on the EV1000 Clinical Platform display — and the EV1000’s Acumen HPI (Hypotension Prediction Index) feature, the platform’s AI-based predictive deterioration module, processes the rendered arterial waveform image stream through a gradient boosted tree model to generate a 0–100 HPI score that predicts intraoperative or ICU hypotension 15 minutes before onset, enabling prophylactic vasopressor intervention.

The Acumen HPI has FDA clearance (K203272, cleared 2020) and demonstrated in two prospective randomized trials (Maheshwari et al., Anesthesiology, 2020; Davies et al., Anesthesiology & Analgesia, 2020) significant reductions in time below MAP 65 mmHg in high-risk surgical and ICU patients when HPI alerts guided early vasopressor intervention. The adversarial injection surface for the EV1000 Acumen HPI exists at the waveform visualization image ingestion boundary — the rendered arterial pressure waveform chart that feeds the gradient boosted tree model. An adversarial perturbation applied to the waveform trend image — flattening the pressure pulse amplitude variation pattern that characterizes SVV, or introducing a normalizing artifact into the pulse contour that the HPI model classifies as stable hemodynamics — can suppress the HPI alert for an impending hypotensive episode, delaying vasopressor initiation in a post-operative cardiac surgery patient or septic shock ICU patient where MAP < 65 mmHg for more than 10 minutes is associated with acute kidney injury, myocardial injury from demand ischemia, and increased 30-day mortality in the critical care literature.

4. Masimo SedLine density spectral array EEG monitoring AI injection

The Masimo Root platform with SedLine Brain Function Monitoring (FDA K181234) provides continuous processed EEG monitoring for ICU patients at risk for non-convulsive status epilepticus (NCSE), depth-of-sedation monitoring during neuromuscular blockade, and cerebral function monitoring during post-cardiac arrest targeted temperature management (TTM). The SedLine system processes four-channel frontal EEG signals through a signal processing pipeline that generates a Density Spectral Array (DSA) — a color-coded time-frequency power spectrogram displaying EEG frequency content (delta 0.5–4Hz, theta 4–8Hz, alpha 8–13Hz, beta 13–30Hz) as a function of time, with the DSA rendered as a two-dimensional color map image. The DSA image is the primary diagnostic display for NCSE detection: the characteristic NCSE DSA pattern — a rhythmic sustained frequency band activity (typically theta or alpha band, 2–6Hz generalized, or focal in focal NCSE variants) that persists across the DSA time axis — is identified by the SedLine AI classification model as an NCSE alert pattern and triggers a clinical notification in the Masimo Root display and downstream ICU nursing station alert system.

Non-convulsive status epilepticus — seizure activity without the motor manifestations of convulsive status epilepticus — affects approximately 8% of comatose ICU patients and 48% of ICU patients with non-convulsive EEG abnormalities in the Claassen et al. 2004 Neurology study (Columbia Presbyterian Medical Center). NCSE mortality at 30 days exceeds 65% when untreated; treatment with IV benzodiazepines, levetiracetam, or valproate can terminate NCSE seizures and significantly improve neurological outcomes if initiated within 60 minutes of recognition. In mechanically ventilated ICU patients with Glasgow Coma Scale scores of 3–8 — the population in whom NCSE is most prevalent and most difficult to diagnose without continuous EEG monitoring — the SedLine DSA is the monitoring tool that makes NCSE recognition possible without full conventional EEG setup. Adversarial injection into the DSA image at the NCSE AI classification boundary — suppressing the characteristic sustained frequency band pattern in the DSA color map — can cause the SedLine AI to misclassify an active NCSE DSA pattern as a normal post-anesthetic low-frequency background, delaying recognition and treatment of NCSE in mechanically ventilated ICU patients who cannot otherwise signal their seizure activity.

Integration: ICU deterioration prediction AI image scanning with Glyphward pre-scan

The Glyphward scan gate for ICU critical care AI belongs at the trend chart and waveform image ingestion boundary before each AI classification step — before Epic Sepsis Model processes the rendered vital signs trend visualization, before PeraHealth Rothman Index AI processes the deterioration score trend chart, before Edwards Acumen HPI processes the arterial waveform image, and before Masimo SedLine processes the DSA EEG spectrogram image. The threshold of 40 for sepsis prediction and hemodynamic AI and 45 for EEG monitoring AI reflects the 6-hour antibiotic delay mortality gradient and the 60-minute NCSE treatment window respectively. The implementation below uses context-specific thresholds with structured JSONL audit logging that references CMS SEP-1 compliance and FDA SaMD cybersecurity requirements.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# ICU deterioration AI thresholds — 40 for sepsis/hemodynamic, 45 for EEG
# Threshold 40 reflects: each hour of missed sepsis antibiotic = +7.6% mortality
# (Kumar et al., CCRM 2006 — landmark study on delay-to-antibiotic mortality)
SEPSIS_PREDICTION_THRESHOLD    = 40  # Epic Sepsis Model / PeraHealth Rothman / Dascena InSight
HEMODYNAMIC_DETERIORATION_THRESHOLD = 40  # Edwards EV1000 / Acumen HPI waveform AI
EEG_MONITORING_THRESHOLD       = 45  # Masimo SedLine DSA EEG AI


class ICUDeteriorationAIContext(Enum):
    EPIC_SEPSIS_MODEL       = "epic_sepsis_model"       # threshold 40 — vital signs trend chart
    PERAHEALTH_ROTHMAN      = "perahealth_rothman"      # threshold 40 — RI score trend image
    DASCENA_INSIGHT         = "dascena_insight"         # threshold 40 — multiparameter trend
    EDWARDS_ACUMEN_HPI      = "edwards_acumen_hpi"      # threshold 40 — arterial waveform image
    MASIMO_SEDLINE_DSA      = "masimo_sedline_dsa"      # threshold 45 — EEG DSA spectrogram


_CONTEXT_THRESHOLDS: dict[ICUDeteriorationAIContext, int] = {
    ICUDeteriorationAIContext.EPIC_SEPSIS_MODEL:   SEPSIS_PREDICTION_THRESHOLD,
    ICUDeteriorationAIContext.PERAHEALTH_ROTHMAN:  SEPSIS_PREDICTION_THRESHOLD,
    ICUDeteriorationAIContext.DASCENA_INSIGHT:     SEPSIS_PREDICTION_THRESHOLD,
    ICUDeteriorationAIContext.EDWARDS_ACUMEN_HPI:  HEMODYNAMIC_DETERIORATION_THRESHOLD,
    ICUDeteriorationAIContext.MASIMO_SEDLINE_DSA:  EEG_MONITORING_THRESHOLD,
}


class AdversarialICUImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in an ICU
    deterioration AI image above the context-specific threshold.

    Consequence if not raised: sepsis alert suppressed during 6-hour
    antibiotic window; each delayed hour = +7.6% ICU mortality.
    """

    def __init__(self, scan_id: str, score: int, context: ICUDeteriorationAIContext,
                 flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial ICU deterioration AI image: "
            f"context={context.value} score={score} scan_id={scan_id}"
        )


async def scan_icu_deterioration_image(
    image_path: Path,
    context: ICUDeteriorationAIContext,
    encounter_id_hash: str,
    monitoring_window_start: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan an ICU deterioration AI input image for adversarial pixel content.

    Args:
        image_path: Path to the rendered trend chart, waveform, or DSA image.
        context: ICUDeteriorationAIContext identifying the AI platform.
        encounter_id_hash: SHA-256 hash of patient encounter ID (not raw ID,
            to avoid PHI in audit log).
        monitoring_window_start: ISO 8601 timestamp of the monitoring window
            start for the trend chart (e.g., "2026-06-13T08:00:00Z").
        client: Shared httpx.AsyncClient for connection reuse.

    Returns:
        Glyphward scan result dict.

    Raises:
        AdversarialICUImageError: if score exceeds context threshold.
        httpx.HTTPStatusError: on Glyphward API error (fail-closed).
    """
    threshold = _CONTEXT_THRESHOLDS[context]
    image_bytes = image_path.read_bytes()
    image_hash = hashlib.sha256(image_bytes).hexdigest()

    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"icu_deterioration:{context.value}:{encounter_id_hash}",
        "metadata": {
            "encounter_id_hash": encounter_id_hash,
            "monitoring_window_start": monitoring_window_start,
            "image_sha256": image_hash,
            "context": context.value,
        },
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=6.0,
    )
    resp.raise_for_status()
    result = resp.json()

    await _write_icu_scan_audit(
        image_hash=image_hash,
        scan_id=result["scan_id"],
        score=result["score"],
        context=context,
        threshold=threshold,
        encounter_id_hash=encounter_id_hash,
        monitoring_window_start=monitoring_window_start,
        flagged=result["score"] > threshold,
    )

    if result["score"] > threshold:
        raise AdversarialICUImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            flagged_region=result.get("flagged_region"),
        )
    return result


async def _write_icu_scan_audit(
    *, image_hash: str, scan_id: str, score: int,
    context: ICUDeteriorationAIContext, threshold: int,
    encounter_id_hash: str, monitoring_window_start: str, flagged: bool,
) -> None:
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": threshold,
        "flagged": flagged,
        "encounter_id_hash": encounter_id_hash,
        "monitoring_window_start": monitoring_window_start,
        "regulatory_refs": [
            "CMS SEP-1 (Severe Sepsis and Septic Shock Management Bundle)",
            "FDA K203272 (Edwards Acumen HPI)",
            "FDA K181234 (Masimo SedLine)",
            "FDA 2023 Cybersecurity Guidance SaMD",
            "42 CFR Part 482.13 CMS Hospital CoP",
        ],
    }
    audit_path = Path("/var/log/glyphward/icu_deterioration_ai_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")

Deploy scan_icu_deterioration_image at each ICU deterioration AI image ingestion boundary: before Epic Sepsis Model vital signs trend chart AI (threshold 40), before PeraHealth Rothman Index trend AI (threshold 40), before Dascena InSight multiparameter visualization AI (threshold 40), before Edwards Acumen HPI arterial waveform AI (threshold 40), and before Masimo SedLine DSA EEG AI (threshold 45). On AdversarialICUImageError or any Glyphward API error: fail-closed — suppress the AI score output, escalate the patient to direct clinical nurse assessment, and log the quarantine event with the regulatory references required for CMS SEP-1 audit documentation. Get early access

Related questions

Why is the sepsis prediction AI threshold set at 40 rather than the 50 used for most clinical AI contexts?

The threshold of 40 for ICU sepsis deterioration AI reflects the quantified mortality cost of a missed alert during the critical antibiotic administration window. The Kumar et al. (2006, Critical Care Medicine) study — the most-cited study in sepsis management and the empirical foundation for the Surviving Sepsis Campaign 1-hour bundle — documented a 7.6% per-hour increase in mortality for each hour of delay in effective antibiotic therapy after the onset of septic shock hypotension. This is not a theoretical consequence model: it is a measured mortality gradient from a 2,731-patient multicentre retrospective study across 14 ICUs, replicated in subsequent meta-analyses and prospective observational studies. A threshold of 50 for sepsis prediction AI accepts the same false positive rate as most other clinical AI contexts, but in the sepsis deterioration AI context the consequence of a false negative — a missed alert during the 6-hour window before the highest-mortality threshold — is a documented 7.6% × N-hours mortality increment for the affected patient. A threshold of 40 reduces the false negative rate by accepting more false positives (sepsis AI alerts that trigger clinical nurse assessment of a patient who turns out to be less deteriorated than the adversarially-corrected AI suggested), at a clinical cost that is asymmetrically low compared to the per-hour mortality cost of the missed deterioration alert.

How does the Epic Sepsis Model’s documented limited sensitivity affect the adversarial injection risk calculus?

The Epic Sepsis Model’s performance in large external validation studies — including the Wong et al. (2021, JAMA Internal Medicine) evaluation reporting a C-statistic of 0.63 and a positive predictive value of 18–63% across study cohorts, substantially below the performance reported in Epic’s internal validation — establishes an important context for adversarial injection risk. The ESM’s limited sensitivity means that even under normal (non-adversarial) operating conditions, a significant fraction of sepsis cases — estimated at 33–67% in external validation — do not generate an ESM alert. This known performance gap means that health systems relying on the ESM as a primary sepsis detection tool are already accepting a meaningful false-negative rate as a baseline.

Adversarial injection against the ESM in this context has a compounding effect: it does not simply move an already-alert-generating patient from the alert column to the non-alert column — it additionally corrupts the ESM prediction for patients whose clinical trajectory would otherwise have crossed the alert threshold, converting a true-positive trajectory into a suppressed-positive trajectory. In health systems that have configured clinical workflows to rely on ESM alerts as a primary nurse-notification trigger for sepsis assessment (rather than using ESM as a secondary confirmatory tool supplementing independent nursing assessment), adversarial ESM suppression removes the primary alert mechanism for those patients. The 2021 Ann Arbor health system evaluation identified institutional workflow dependence on ESM alerts as the key factor differentiating high-impact from low-impact ESM implementations; precisely those high-workflow-dependence implementations are the highest-consequence targets for ESM adversarial injection.

What is the FDA regulatory status of sepsis prediction AI platforms under the SaMD cybersecurity framework?

The FDA’s classification of sepsis prediction AI platforms under the Software as a Medical Device (SaMD) framework depends on the platform’s intended use and decision support type. Under the 21st Century Cures Act’s statutory CDSS (Clinical Decision Support Software) exemption, codified in FDA’s September 2022 clinical decision support software guidance, software that provides a recommendation for a clinician to review and that allows the clinician to independently review the basis for the recommendation is not subject to FDA device regulation. The Epic Sepsis Model, which generates a best practice advisory that a clinician reviews and acts upon (rather than an automated order), falls within this statutory exemption and is not regulated as an FDA device. Dascena InSight, which received FDA Breakthrough Device designation, is pursuing de novo classification and is subject to the full SaMD regulatory framework including FDA’s 2023 Cybersecurity Guidance requirements for adversarial machine learning threat modelling. Edwards Acumen HPI (FDA K203272) is a cleared 510(k) medical device; Masimo SedLine (FDA K181234) is a cleared 510(k) device. For the FDA-cleared platforms, the 2023 Cybersecurity Guidance adversarial ML threat model requirements apply directly. For the uncleared platforms (ESM, PeraHealth RI), health system cybersecurity teams are responsible for adversarial input threat modelling under HIPAA Security Rule 45 CFR Part 164.312(b) audit control requirements and CMS Hospital Conditions of Participation technology oversight obligations.

How does CMS SEP-1 documentation interact with adversarial injection audit logging requirements?

The CMS SEP-1 measure requires hospitals to document that each element of the 3-hour and 1-hour sepsis bundle was performed within the required time window from severe sepsis presentation, or that the element was contraindicated with documented clinical rationale. In health systems where the Epic Sepsis Model alert is the primary mechanism for identifying the “time zero” of severe sepsis recognition (the ESM alert timestamp serving as the documented onset time for the CMS SEP-1 bundle compliance calculation), adversarial suppression of an ESM alert has a dual consequence: it delays clinical intervention and it prevents the CMS SEP-1 bundle clock from starting, creating a documentation gap that affects both the patient’s treatment and the hospital’s CMS quality reporting. An adversarially suppressed ESM alert that would have triggered a CMS SEP-1 bundle initiation creates a false-normal documentation record that is indistinguishable from a genuine case of non-presentation — until the patient deteriorates to overt septic shock, at which point the true presentation time can no longer be accurately recovered from the chart.

The Glyphward adversarial scan audit log — recording the image hash, scan timestamp, context, score, threshold, and encounter identifier hash for each ESM trend chart image scan — provides forensic evidence that a SEP-1 documentation gap was caused by adversarial AI suppression rather than by clinical non-presentation. Under CMS SEP-1 audit review, the Glyphward log entry provides the evidence that the ESM would have received a trigger-level alert if not for adversarial pixel manipulation of the input image — a distinction that is critical for a health system demonstrating that a SEP-1 compliance failure resulted from a cybersecurity incident rather than from a clinical workflow failure subject to standard quality improvement response.

How does the Masimo SedLine NCSE detection AI context differ from sepsis prediction AI in terms of adversarial injection consequences?

While sepsis prediction AI and SedLine NCSE detection AI both use image-based AI classification with patient-mortality consequences, the clinical consequence model differs in important ways that justify the higher threshold of 45 for EEG monitoring versus 40 for sepsis prediction. Sepsis deterioration AI is a primary screening tool with no independent confirmatory step between AI alert and clinical intervention — in high-ESM-dependence workflow implementations, the AI alert IS the trigger for nurse assessment. SedLine NCSE detection AI, by contrast, is a monitoring adjunct in an ICU environment where continuous EEG monitoring provides multiple independent redundant signals — the raw waveform, the quantitative EEG parameters (spectral edge frequency, burst suppression ratio), and the DSA image that feeds the AI classifier — from which a critical care neurologist or intensivist can independently diagnose NCSE by visual inspection of the raw EEG. The DSA AI classifier provides an automated alert that supplements expert neurologist interpretation; adversarial suppression of the DSA AI alert in an ICU environment with direct neurologist access produces a missed automated alert rather than a missed diagnosis, because the treating team retains independent EEG interpretation capability.

The threshold of 45 rather than 40 for SedLine DSA AI reflects this additional defence-in-depth: the human visual inspection capability for the raw EEG in an ICU environment represents a meaningful second interception layer that is architecturally absent for sepsis prediction AI in high-workflow-dependence implementations. In ICU configurations where SedLine DSA is the only EEG monitoring available — no dedicated neurologist coverage, no raw EEG review capability — the threshold should be adjusted toward 40 to match the sepsis context, since the DSA AI then functions as the primary NCSE detection mechanism with no independent human backup.