PET/CT oncology staging AI · SPECT myocardial perfusion AI · Radiopharmaceutical therapy dosimetry AI · Bone scan cancer staging AI
Prompt injection in nuclear medicine imaging AI
Nuclear medicine imaging has entered a phase of deep AI integration in which the quantitative outputs of reconstruction and analysis algorithms — not just human visual interpretation of images — directly determine treatment decisions for cancer staging, cardiac catheterization referral, radiopharmaceutical therapy dosing, and prostate cancer treatment response. The shift is regulatory as well as clinical: FDA has cleared or approved AI software embedded in PET/CT and SPECT camera systems, standalone nuclear medicine AI workstation software, and radiopharmaceutical therapy dosimetry platforms as Software as a Medical Device (SaMD) under 510(k) and PMA pathways, making their outputs formally part of regulated diagnostic workflows. Siemens Healthineers Biograph Vision PET/CT (FDA 510(k) K193402), GE Healthcare Discovery MI PET/CT, Philips Vereos Digital PET/CT, and United Imaging uMI 550 together account for the overwhelming majority of PET/CT systems installed across U.S. academic medical centers, NCI-designated cancer centers, and community oncology practices — a combined installed base exceeding 3,000 PET/CT systems performing more than 2 million FDG-PET/CT studies annually in the United States for oncology staging, restaging, and treatment response assessment. AI quantification software integrated into and connected to these platforms computes standardized uptake values (SUVmax, SUVmean, SUVpeak) from reconstructed PET images and generates PERCIST treatment response categories (Complete Metabolic Response, Partial Metabolic Response, Stable Metabolic Disease, Progressive Metabolic Disease) and AJCC TNM staging inputs used by tumor boards and medical oncologists to select treatment regimens for lung cancer, lymphoma, colorectal cancer, melanoma, and head-and-neck cancer patients. Cedars-Sinai QPS/QGS — deployed in more than 80% of U.S. nuclear cardiology laboratories and tens of thousands of SPECT MPI studies daily — applies AI to gated SPECT perfusion images to quantify myocardial perfusion defect extent and severity, wall motion, and ejection fraction, generating a structured report used by cardiologists to decide whether to refer patients for coronary angiography and revascularization. MIM SurePlan (MIM Software, FDA 510(k) K180468) and HERMES Medical Solutions HERMES Dosimetry calculate absorbed radiation dose to target tumors and dose-limiting organs — principally kidneys and bone marrow — from quantitative SPECT/CT images acquired after each cycle of Lu-177-DOTATATE (LUTATHERA, approved FDA NDA 210922) or Lu-177-PSMA-617 (PLUVICTO, approved FDA NDA 215435) therapy, directly setting the administered activity for each subsequent treatment cycle. EXINI BoneScan AI and EXINI Prostate AI (EXINI Diagnostics, acquired by Lantheus Holdings in 2021 for $70.8 million) deployed in more than 500 nuclear medicine sites globally classify whole-body Tc-99m MDP bone scan images and quantify bone lesion burden for prostate cancer staging and treatment response assessment. In every one of these pipelines, AI receives as input a nuclear medicine image — a reconstructed PET volume, a reconstructed SPECT perfusion dataset, a quantitative SPECT/CT dosimetry image, a whole-body planar bone scan image — and outputs quantitative measurements that determine clinical decisions without further human quantitative recalculation. When the reconstruction pipeline, the DICOM transmission pathway, or the AI workstation ingestion boundary can be reached by an adversarial actor, the pixel content of these images becomes a prompt injection surface into medical AI with direct patient safety consequences spanning cancer understaging, missed coronary artery disease, radiation nephropathy, and false treatment response assessment in metastatic prostate cancer.
TL;DR
Siemens Biograph Vision, GE Discovery MI, Philips Vereos PET/CT AI, Cedars-Sinai QPS/QGS SPECT MPI AI, MIM SurePlan dosimetry AI, and EXINI BoneScan AI all process reconstructed nuclear medicine images whose pixel content is the direct input to AI quantification engines that drive staging, catheterization, dosimetry, and treatment response decisions. Adversarially crafted PET/SPECT images can corrupt SUVmax measurements used for AJCC TNM staging, suppress ischemic perfusion defects in cardiac SPECT, cause AI to underestimate kidney absorbed dose in Lu-177 therapy, and alter bone lesion counts in prostate cancer staging — at thresholds of 45 for PET oncology SUV AI, 45 for SPECT cardiac MPI AI, 45 for radiopharmaceutical therapy dosimetry AI, and 50 for bone scan staging AI. Free tier — 10 scans/day, no card required.
Four adversarial injection surfaces in nuclear medicine imaging AI
1. PET/CT SUV quantification AI for oncology staging (Siemens Biograph Vision, GE Discovery MI, Philips Vereos, United Imaging uMI 550)
FDG-PET/CT is the standard of care for initial staging and treatment response assessment across the most common FDG-avid malignancies — non-Hodgkin lymphoma, lung adenocarcinoma and squamous cell carcinoma, colorectal cancer with hepatic metastases, melanoma, and head-and-neck squamous cell carcinoma — with annual U.S. scan volume exceeding 2 million studies. The quantitative output of FDG-PET/CT AI analysis is the standardized uptake value (SUV): a decay-corrected, body-weight-normalized measure of regional FDG concentration in reconstructed PET images expressed in units of g/mL. SUVmax (the maximum voxel SUV within a defined volume of interest) is the primary AI-generated measurement used for oncology staging decisions: Lugano Classification for lymphoma response uses SUV thresholds relative to mediastinal blood pool and liver reference; PERCIST 1.0 treatment response criteria use a 30% decrease in SULpeak (SUV lean body mass corrected) to define partial metabolic response; and clinical SUV thresholds in the range of 2.5–4.0 are used to differentiate benign from malignant pulmonary nodules in SUV-assisted lung nodule AI analysis. AI software platforms integrated with or connected to PET/CT scanners — Siemens Syngo.via MI Oncology, GE AW Server Oncology, Philips IntelliSpace Portal PET Analysis, MIM Software PETCT Fusion — automatically extract SUVmax and SUVmean from segmented lesions in reconstructed PET DICOM images received from the PET/CT scanner reconstruction pipeline.
The adversarial injection surface for PET SUV AI is the reconstructed PET DICOM image at the point of transmission from the PET/CT scanner reconstruction workstation to the AI analysis platform over the hospital DICOM network or PACS integration pathway. Adversarial pixel perturbations applied to reconstructed PET DICOM image pixel data — perturbations that are visually subtle and within the range of normal reconstruction noise — can artifactually elevate SUVmax in a primary tumor lesion or regional lymph node volume of interest from a value below the malignancy threshold to a value above it, or suppress SUVmax in a known malignant lesion below the threshold used by AI to declare metabolic complete response. The clinical consequence of artifactual SUV elevation in lymph node staging is AJCC N-stage upstaging: a lung cancer patient whose mediastinal lymph node SUVmax is artifactually elevated from 2.1 to 4.9 would be misclassified from cN0 (node-negative, resectable stage I/II) to cN2 (ipsilateral mediastinal involvement, stage IIIA), redirecting treatment from surgical resection with curative intent to definitive concurrent chemoradiotherapy — a treatment change associated with substantially lower 5-year survival. The inverse attack — SUVmax suppression at a known malignant lymph node — generates a false metabolic complete response in a patient with residual active lymphoma after frontline chemotherapy, falsely indicating response and potentially delaying consolidation radiotherapy or salvage treatment until clinical relapse.
2. Myocardial perfusion imaging SPECT AI (Cedars-Sinai QPS/QGS, Emory Cardiac Toolbox, EXINI HeartSee AI, GE Myovation AI)
Myocardial perfusion imaging (MPI) SPECT is the highest-volume nuclear cardiology procedure in the United States, with approximately 9 million studies performed annually for evaluation of coronary artery disease (CAD), stress-induced ischemia, myocardial viability, and risk stratification. Cedars-Sinai Quantitative Perfusion SPECT / Quantitative Gated SPECT (QPS/QGS), developed at Cedars-Sinai Medical Center and licensed to vendors including Siemens Healthineers and GE Healthcare, is deployed in more than 80% of U.S. nuclear cardiology laboratories and is the reference AI platform against which other MPI SPECT AI systems are validated. QPS/QGS processes gated SPECT stress and rest image datasets — three-dimensional reconstructed SPECT volumes of the myocardium acquired with Tc-99m sestamibi or tetrofosmin (MIBI, CardioTec) after pharmacologic or exercise stress and at rest — to automatically segment the left ventricular myocardium, generate polar map perfusion displays (bull’s-eye plots), quantify perfusion defect extent as a percentage of total myocardial surface, calculate total perfusion deficit (TPD), and compute left ventricular ejection fraction and wall motion scores from gated SPECT frames. The structured QPS/QGS report output — perfusion defect extent, severity, reversibility (stress-rest difference), ejection fraction — is the primary quantitative data reviewed by cardiologists in determining whether to refer patients for invasive coronary angiography and revascularization. ACC/AHA and ASNC guidelines recommend coronary angiography referral for SPECT MPI findings of large perfusion defects (>10% myocardium), high-risk findings including transient ischemic dilation (TID), or reduced LVEF (<45%) on post-stress gated SPECT.
The adversarial injection surface for SPECT MPI AI is the reconstructed SPECT DICOM image dataset at transmission from the gamma camera reconstruction workstation (Siemens Symbia Intevo, GE Optima NM/CT 640, Philips BrightView XCT, Canon Medical Systems Celesteion) to the QPS/QGS or equivalent AI workstation. Gated SPECT datasets consist of multiple three-dimensional SPECT volumes — typically 8 or 16 gated frames per cardiac cycle — across stress and rest acquisition conditions, yielding a multi-volume DICOM series that the AI processes jointly for perfusion quantification and functional analysis. Adversarial pixel perturbations applied to the SPECT perfusion volume can suppress signal in an ischemic territory — the inferolateral wall, the anterior wall, or the apex — causing QPS/QGS AI to report normal perfusion in a region with significant Tc-99m sestamibi uptake reduction reflecting stress-induced ischemia from significant left circumflex, left anterior descending, or right coronary artery stenosis. The clinical consequence is failure to refer a patient with hemodynamically significant CAD for coronary angiography that would have revealed a stenosis amenable to percutaneous coronary intervention — leaving the patient at elevated risk of subsequent myocardial infarction and sudden cardiac death. The inverse attack — generating a false-positive perfusion defect in a normal SPECT study — directs an asymptomatic patient with normal coronary arteries to invasive coronary angiography, carrying a procedural complication risk (arterial access complications, contrast nephropathy, arrhythmia) of approximately 1 in 500 to 1 in 1,000 for diagnostic-only angiography.
3. Lu-177 / Y-90 radiopharmaceutical therapy dosimetry AI (MIM SurePlan, HERMES Dosimetry, Planet Dose AI, Quanteus Q.Dose AI)
Lutetium-177 radiopharmaceutical therapy — Lu-177-DOTATATE (LUTATHERA, Advanced Accelerator Applications/Novartis, FDA approved NDA 210922 in January 2018 for somatostatin receptor-positive gastroenteropancreatic neuroendocrine tumors) and Lu-177-PSMA-617 (PLUVICTO, Novartis, FDA approved NDA 215435 in March 2022 for metastatic castration-resistant prostate cancer) — delivers targeted beta-particle radiation to tumor cells expressing somatostatin receptors or prostate-specific membrane antigen (PSMA), with dose-limiting toxicity at critical organs including kidneys (23 Gy total absorbed dose limit) and bone marrow (2 Gy limit for red marrow). Personalized dosimetry — calculating the actual absorbed dose delivered to each patient’s organs and tumors from their individual pharmacokinetics as measured by quantitative SPECT/CT imaging — is performed using AI software platforms including MIM SurePlan (MIM Software, FDA 510(k) K180468), HERMES Dosimetry (HERMES Medical Solutions Gold Standard dosimetry platform), Planet Dose AI (Advanced Accelerator Applications/Sanofi), and Quanteus Global Q.Dose AI. These platforms acquire quantitative SPECT/CT images at 24, 48, and 168 hours post-injection for each therapy cycle, apply SUV-analogous quantitative SPECT reconstruction algorithms to convert image pixel values to absolute activity concentration (MBq/mL), fit multi-time-point activity-concentration curves to dosimetric models (OLINDA/EXM, MIRD S-values, voxel-level dosimetry), and generate cycle dose and cumulative dose reports for kidneys, liver, spleen, bone marrow, and target lesions that the treating nuclear medicine physician uses to determine the administered activity for the next treatment cycle under NRC 10 CFR Part 35.396.
The adversarial injection surface for dosimetry AI is the quantitative SPECT/CT DICOM image at each post-therapy imaging time point — the 24-hour, 48-hour, and 168-hour post-injection SPECT/CT acquisitions whose absolute pixel values represent radiotracer concentration in each voxel. Adversarial pixel perturbations that systematically suppress pixel intensity values in the renal cortex volumes of interest across one or more post-therapy time points cause the dosimetry AI to underestimate the area under the time-activity curve for the kidneys, generating a falsely low kidney absorbed dose calculation. A 25% underestimate in kidney dose across three Lu-177-DOTATATE cycles could result in cumulative kidney absorbed dose of 28–30 Gy against a target limit of 23 Gy — exceeding the tolerance threshold by a clinically meaningful margin that initiates radiation nephropathy, with progressive loss of GFR (glomerular filtration rate), proteinuria, and hypertension developing over 6–12 months post-therapy. The inverse attack — overestimating kidney dose — generates false dose-limiting nephrotoxicity findings that cause premature treatment termination after 2–3 cycles in a patient who would benefit from the full 4-cycle LUTATHERA regimen, reducing therapeutic efficacy in a population with limited treatment alternatives. Y-90 SIRT (selective internal radiotherapy) dosimetry — using HERMES Dosimetry and MIM SurePlan for Y-90 microsphere hepatic radioembolization — faces an equivalent adversarial surface in the quantitative SPECT Bremsstrahlung or PET (Y-90 PET, very low positron fraction) images used for post-procedure dosimetry, where adversarial manipulation of liver segment dose estimates affects reporting of dose coverage to hepatocellular carcinoma or hepatic metastases under IAEA Human Health Series No. 9 criteria.
4. Bone scan AI for cancer staging (EXINI BoneScan AI, EXINI Prostate AI, PyL PSMA PET AI, Progenics PSMA AI)
Tc-99m methylene diphosphonate (MDP) whole-body bone scan remains the workhorse imaging modality for detection of osseous metastases in prostate cancer, breast cancer, and lung cancer — more than 3 million whole-body bone scans are performed annually in the United States — and EXINI BoneScan AI (EXINI Diagnostics, acquired by Lantheus Holdings in 2021 for $70.8 million, deployed at more than 500 nuclear medicine sites globally) applies deep learning classification to whole-body planar bone scan images to automatically detect and count bone metastasis lesions, classify scan findings as normal, non-specific, or metastatic, and generate a Bone Scan Index (BSI) — a quantitative measure of the fraction of the skeleton involved by metastatic disease — that has been validated as a prognostic biomarker and treatment response endpoint in castration-resistant prostate cancer (CRPC) clinical trials. EXINI Prostate AI integrates bone scan AI with PSA kinetics and clinical data to generate an overall prostate cancer staging AI assessment. Alongside bone scintigraphy, PSMA PET/CT — using piflufolastat F-18 (PYLARIFY, Lantheus Holdings, FDA PMA P210013 approved May 2021) or 68Ga-PSMA-11 (FDA NDA 213074) — is increasingly used for initial staging of high-risk prostate cancer and for CRPC restaging, with AI analysis platforms quantifying PSMA-avid lesion burden across the skeleton and soft tissue.
The adversarial injection surface for bone scan AI is the whole-body planar scintigraphic image — an anterior and posterior whole-body projection image acquired on a dual-headed gamma camera (Siemens Symbia, GE Optima, Philips BrightView) — at the DICOM transmission boundary from the gamma camera workstation to the EXINI BoneScan AI or equivalent AI workstation over the hospital DICOM or HL7 FHIR network. Adversarial pixel perturbations applied to the whole-body bone scan image can suppress the focal increased tracer uptake in one or more vertebral or pelvic lesions, causing the AI to report a lower BSI than is present, reduce the lesion count (misclassifying metastatic disease as fewer lesions), or classify a metastatic scan as non-specific or normal. In the CRPC treatment response context — where serial bone scan AI BSI comparisons between baseline and on-treatment scans determine whether a patient is classified as having bone scan progressive disease (2 or more new lesions on sequential scans, PCWG3 Prostate Cancer Working Group 3 criteria) — adversarial suppression of new lesions from the AI-analyzed treatment scan generates a false stable disease classification, continuing a patient on a treatment that is failing to control bone metastatic disease. The inverse attack — generating artifactual focal uptake in normal bone — produces false positive lesion counts that trigger unnecessary bone biopsy, escalation to chemotherapy from hormonal therapy, or declaration of progressive disease that removes a patient from a clinical trial demonstrating benefit in their disease subgroup.
Integration: nuclear medicine AI image ingestion with Glyphward pre-scan
The Glyphward scan gate belongs at the DICOM image ingestion boundary in each nuclear medicine AI pipeline — between the scanner reconstruction workstation (or PACS retrieval) and the AI quantification engine. The async pattern below handles all four nuclear medicine AI contexts through a shared scan_nuclear_medicine_ai_image function, with patient-safety-calibrated thresholds reflecting the clinical severity of each AI quantification failure mode, and structured JSONL audit output for SNMMI/ACR nuclear medicine quality records and NRC 10 CFR Part 35 written directive documentation chains.
import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path
import httpx
GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"
# Per-context thresholds reflecting nuclear medicine AI patient-safety severity
PET_SUV_ONCOLOGY_THRESHOLD = 45 # Siemens Syngo / GE AW / Philips ISP PET SUV AI
SPECT_MPI_CARDIAC_THRESHOLD = 45 # Cedars-Sinai QPS/QGS / Emory CTB / EXINI HeartSee
DOSIMETRY_KIDNEY_THRESHOLD = 45 # MIM SurePlan / HERMES Dosimetry / Planet Dose AI
BONE_SCAN_STAGING_THRESHOLD = 50 # EXINI BoneScan AI / EXINI Prostate AI / PSMA PET AI
class NuclearMedicineAIContext(Enum):
PET_SUV_ONCOLOGY = "pet_suv_oncology" # threshold 45
SPECT_MPI_CARDIAC = "spect_mpi_cardiac" # threshold 45
DOSIMETRY_KIDNEY = "dosimetry_kidney" # threshold 45
BONE_SCAN_STAGING = "bone_scan_staging" # threshold 50
_CONTEXT_THRESHOLDS: dict[NuclearMedicineAIContext, int] = {
NuclearMedicineAIContext.PET_SUV_ONCOLOGY: PET_SUV_ONCOLOGY_THRESHOLD,
NuclearMedicineAIContext.SPECT_MPI_CARDIAC: SPECT_MPI_CARDIAC_THRESHOLD,
NuclearMedicineAIContext.DOSIMETRY_KIDNEY: DOSIMETRY_KIDNEY_THRESHOLD,
NuclearMedicineAIContext.BONE_SCAN_STAGING: BONE_SCAN_STAGING_THRESHOLD,
}
class AdversarialNuclearMedicineAIImageError(Exception):
"""Raised when Glyphward detects adversarial pixel content in a
nuclear medicine AI image above the context threshold.
Attributes:
scan_id: Glyphward scan identifier for the SNMMI/ACR audit record.
score: Adversarial signal score (0-100).
context: The NuclearMedicineAIContext in which detection occurred.
flagged_region: Optional dict describing the flagged pixel region.
"""
def __init__(
self,
scan_id: str,
score: int,
context: NuclearMedicineAIContext,
flagged_region: dict | None = None,
) -> None:
self.scan_id = scan_id
self.score = score
self.context = context
self.flagged_region = flagged_region
super().__init__(
f"Adversarial nuclear medicine AI image detected: "
f"context={context.value} score={score} scan_id={scan_id}"
)
async def scan_nuclear_medicine_ai_image(
image_path: Path,
context: NuclearMedicineAIContext,
patient_id_hash: str,
accession_hash: str,
acquisition_ts: str,
client: httpx.AsyncClient,
) -> dict:
"""Scan a nuclear medicine AI image for adversarial pixel content.
Args:
image_path: Absolute path to the reconstructed DICOM image file
(PET volume, SPECT volume, SPECT/CT dosimetry, bone scan).
context: NuclearMedicineAIContext enum value identifying the AI pipeline.
patient_id_hash: SHA-256 hash of MRN (not the MRN itself — HIPAA §164.312).
accession_hash: SHA-256 hash of DICOM accession number.
acquisition_ts: ISO 8601 timestamp of image acquisition.
client: Shared httpx.AsyncClient for connection reuse.
Returns:
Glyphward scan result dict: scan_id, score, flagged_region, modality.
Raises:
AdversarialNuclearMedicineAIImageError: if score exceeds context threshold.
httpx.HTTPStatusError: on Glyphward API errors (fail-closed: quarantine image).
"""
threshold = _CONTEXT_THRESHOLDS[context]
image_bytes = image_path.read_bytes()
image_hash = hashlib.sha256(image_bytes).hexdigest()
payload = {
"image": base64.b64encode(image_bytes).decode(),
"source": f"nuclear_medicine:{context.value}:{acquisition_ts}",
"metadata": {
"patient_id_hash": patient_id_hash,
"accession_hash": accession_hash,
"acquisition_ts": acquisition_ts,
"image_sha256": image_hash,
},
}
resp = await client.post(
GLYPHWARD_SCAN_URL,
headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
json=payload,
timeout=5.0,
)
resp.raise_for_status()
result = resp.json()
await write_nuclear_medicine_scan_audit(
image_hash=image_hash,
scan_id=result["scan_id"],
score=result["score"],
context=context,
threshold=threshold,
patient_id_hash=patient_id_hash,
accession_hash=accession_hash,
acquisition_ts=acquisition_ts,
flagged=result["score"] > threshold,
)
if result["score"] > threshold:
raise AdversarialNuclearMedicineAIImageError(
scan_id=result["scan_id"],
score=result["score"],
context=context,
flagged_region=result.get("flagged_region"),
)
return result
async def write_nuclear_medicine_scan_audit(
*,
image_hash: str,
scan_id: str,
score: int,
context: NuclearMedicineAIContext,
threshold: int,
patient_id_hash: str,
accession_hash: str,
acquisition_ts: str,
flagged: bool,
) -> None:
"""Append structured JSON audit record to nuclear medicine AI scan log.
Satisfies HIPAA §164.312(b) audit controls, FDA SaMD Cybersecurity Guidance
adversarial input detection evidence requirements, SNMMI/ACR nuclear medicine
quality assurance records, and NRC 10 CFR Part 35 written directive
documentation chains for therapeutic radiopharmaceutical administrations.
Hashed IDs avoid PHI in the scan log itself.
"""
record = {
"ts": datetime.now(timezone.utc).isoformat(),
"scan_id": scan_id,
"image_sha256": image_hash,
"context": context.value,
"score": score,
"threshold": threshold,
"flagged": flagged,
"patient_id_hash": patient_id_hash,
"accession_hash": accession_hash,
"acquisition_ts": acquisition_ts,
}
audit_path = Path("/var/log/glyphward/nuclear_medicine_ai_scan_audit.jsonl")
audit_path.parent.mkdir(parents=True, exist_ok=True)
with audit_path.open("a") as fh:
fh.write(json.dumps(record) + "\n")
async def process_nuclear_medicine_image_batch(
images: list[tuple[Path, NuclearMedicineAIContext, str, str, str]],
) -> list[dict]:
"""Process a batch of (path, context, patient_hash, accession_hash, ts) tuples."""
async with httpx.AsyncClient() as client:
tasks = [
scan_nuclear_medicine_ai_image(
image_path=path,
context=ctx,
patient_id_hash=pid,
accession_hash=acc,
acquisition_ts=ts,
client=client,
)
for path, ctx, pid, acc, ts in images
]
results = []
for coro in asyncio.as_completed(tasks):
try:
results.append(await coro)
except AdversarialNuclearMedicineAIImageError as exc:
results.append({
"status": "quarantined",
"context": exc.context.value,
"scan_id": exc.scan_id,
"score": exc.score,
"flagged_region": exc.flagged_region,
})
return results
Deploy scan_nuclear_medicine_ai_image at the DICOM image ingestion boundary in each pipeline: before reconstructed PET volumes reach Siemens Syngo.via, GE AW Server, or MIM Software SUV quantification AI; before gated SPECT perfusion datasets reach Cedars-Sinai QPS/QGS, Emory Cardiac Toolbox, or GE Myovation AI; before post-therapy quantitative SPECT/CT dosimetry images reach MIM SurePlan or HERMES Dosimetry absorbed-dose AI; and before whole-body bone scan images reach EXINI BoneScan AI or PSMA PET analysis platforms. Get early access
Coverage matrix
| Tool | PET SUV oncology staging AI injection | SPECT MPI cardiac AI injection | Dosimetry kidney dose AI injection | Bone scan staging AI injection |
|---|---|---|---|---|
| Lakera Guard | No (text only) | No (text only) | No (text only) | No (text only) |
| LLM Guard | No (text only) | No (text only) | No (text only) | No (text only) |
| Azure Prompt Shields | No (text only) | No (text only) | No (text only) | No (text only) |
| Platform-native (Siemens Syngo.via, GE AW Server, Cedars-Sinai QPS/QGS, MIM SurePlan, EXINI BoneScan AI) | No adversarial injection detection | No adversarial injection detection | No adversarial injection detection | No adversarial injection detection |
| Glyphward | Yes — scans reconstructed PET DICOM bytes before SUV quantification AI; threshold 45; accession hash + acquisition timestamp logged | Yes — scans gated SPECT perfusion DICOM bytes before QPS/QGS AI; threshold 45; patient hash + accession hash logged | Yes — scans quantitative SPECT/CT dosimetry DICOM bytes before absorbed dose AI; threshold 45; NRC Part 35 documentation chain supported | Yes — scans whole-body bone scan image bytes before EXINI BoneScan AI; threshold 50; accession hash + acquisition timestamp logged |
Related questions
What FDA clearances govern AI software for PET/CT SUV quantification in oncology staging?
FDA 510(k) clearances for PET/CT scanner platforms include Siemens Healthineers Biograph Vision (K193402), GE Healthcare Discovery MI, Philips Vereos Digital PET/CT, and United Imaging uMI 550. AI quantification software embedded in or integrated with these platforms falls under FDA’s Software as a Medical Device (SaMD) framework and the 2021 AI/ML-based SaMD Action Plan. Clearances are assessed for substantial equivalence to predicate devices on validated clean PET datasets; adversarial robustness against pixel-level perturbation in reconstructed PET images is not evaluated as part of 510(k) performance characterization. FDA’s October 2023 Cybersecurity Guidance for medical devices requires manufacturers to address adversarial input threats in their cybersecurity risk management plans under a risk-based framework, but does not mandate inference-time adversarial pixel scanning as a deployment requirement for cleared nuclear medicine AI SaMD.
The SaMD regulatory designation matters for nuclear medicine AI adversarial injection because it establishes which entity bears primary responsibility for ensuring AI input integrity at the clinical deployment boundary. For bundled scanner AI software (SUV quantification integrated into Siemens Syngo.via or GE AW Server), the scanner manufacturer holds the 510(k) and carries cybersecurity responsibility. For standalone nuclear medicine AI workstations (MIM Software, HERMES Medical Solutions, EXINI/Lantheus), the software vendor holds the clearance and is responsible under their cleared device’s cybersecurity plan. Hospital CISO and nuclear medicine QA programs bear operator responsibility for DICOM network security between scanner workstations and AI platforms — the transmission pathway that constitutes the primary adversarial injection surface in practice.
How does adversarial SUV manipulation in PET oncology AI affect AJCC TNM staging decisions?
AJCC TNM staging for FDG-avid lymphomas, lung cancer, and head-and-neck cancer uses SUVmax thresholds in reconstructed PET images to differentiate benign from malignant lymph node involvement and to assess treatment response under PERCIST criteria. AI quantification systems including those embedded in Siemens Syngo.via and GE AW Server calculate SUVmax and SUVmean from reconstructed PET images — the same image data that constitutes the adversarial injection surface. A pixel perturbation that artifactually elevates SUVmax in a mediastinal lymph node from 2.1 to 4.8 in a lung cancer staging PET would cause AI-assisted staging to reclassify the node as malignant (N2 disease), upstaging the patient from stage II to stage III and potentially redirecting treatment from surgical resection with curative intent to definitive concurrent chemoradiotherapy — a treatment change associated with substantially lower 5-year survival in stage II NSCLC (50–60% vs. 15–25% at 5 years for stage IIIA with N2 disease).
The PERCIST treatment response dimension of the adversarial staging attack is equally significant. PERCIST 1.0 criteria define complete metabolic response (CMR) as complete resolution of FDG uptake in all target lesions to below liver background SUL levels; partial metabolic response (PMR) as ≥30% decrease in SULpeak; progressive metabolic disease (PMD) as ≥30% increase in SULpeak or appearance of new lesions. An adversarial pixel suppression attack that causes AI to calculate CMR in a patient with residual FDG-avid disease (PMR or stable) would indicate treatment success where interim PET should be triggering escalation to second-line regimens — a consequential false negative in DLBCL interim PET that determines whether consolidation treatment with autologous stem cell transplant is offered, with remission rate consequences that differ by 30–40 percentage points between CMR and non-CMR groups.
What are the dosimetry safety thresholds that make Lu-177 radiopharmaceutical therapy AI injection clinically dangerous?
Lu-177-DOTATATE (LUTATHERA) and Lu-177-PSMA-617 (PLUVICTO) radiopharmaceutical therapy doses are personalized using dosimetry calculations from quantitative SPECT/CT images acquired after each cycle. The IAEA Human Health Series No. 9 and clinical practice guidelines recommend limiting kidney absorbed dose to 23 Gy cumulative across all treatment cycles to avoid radiation nephropathy — a threshold derived from the renal tolerance data for external beam radiotherapy and validated in LUTATHERA clinical trial (NETTER-1) dosimetry data. MIM SurePlan (FDA 510(k) K180468), HERMES Dosimetry, and Planet Dose AI calculate absorbed dose from SPECT/CT dosimetry images and generate cycle-by-cycle dose accumulation reports. An adversarial perturbation in post-therapy SPECT/CT images that causes the AI to underestimate kidney dose by 20–30% across three treatment cycles can result in cumulative kidney absorbed dose exceeding 23 Gy, triggering radiation nephropathy with progressive GFR decline, proteinuria, and hypertension — a dose-limiting toxicity that is irreversible once established.
The bone marrow dosimetry threshold (2 Gy total red marrow absorbed dose) presents an analogous adversarial surface in patients with bone marrow involvement or prior myelosuppressive chemotherapy where bone marrow reserve is reduced. Quantitative SPECT/CT images of lumbar vertebrae and sacrum — used as red marrow dosimetry surrogate volumes — processed by AI dosimetry platforms to calculate marrow absorbed dose are subject to adversarial pixel manipulation that underestimates marrow exposure, potentially contributing to cumulative myelosuppression and treatment-related cytopenias in patients already on the margin of bone marrow tolerance. The NRC 10 CFR 35.3045 medical event reporting threshold for therapeutic radiopharmaceuticals — administered dose differing from prescribed dose by 20% or causing unintended tissue dose — would be triggered by the clinical consequences of AI dosimetry adversarial injection if a medical event were recognized and traced to the AI output manipulation.
How does SPECT MPI cardiac AI adversarial injection differ from standard radiology AI prompt injection?
Standard radiology AI prompt injection typically targets a static image — a CT slice, an MRI sequence frame, a digital radiograph — analyzed for structural abnormality detection. SPECT MPI cardiac AI as implemented in Cedars-Sinai QPS/QGS, Emory Cardiac Toolbox, and EXINI HeartSee AI processes gated SPECT perfusion image sequences representing myocardial perfusion distribution across a cardiac cycle in both stress and rest acquisition states. The AI must analyze the stress-rest perfusion difference across a three-dimensional myocardial surface map rendered from multiple SPECT projection images and compare regional perfusion intensity distributions to a gender-matched normal database. This creates a multi-volume, multi-state adversarial injection surface: the perturbation must act across both the stress and rest SPECT volumes simultaneously in a spatially coherent pattern to produce a false perfusion appearance that the AI interprets as normal rather than a conspicuously unphysical image artifact.
The additional complexity of a multi-volume adversarial attack in SPECT MPI is offset by the higher clinical consequence of a successful attack versus single-image radiology AI injection. A successful adversarial suppression of a LAD territory stress perfusion defect in a patient with 80% proximal LAD stenosis eliminates the indication for coronary angiography that would have led to stent placement or CABG referral — leaving the patient at elevated risk of anterior STEMI, which carries 7–10% in-hospital mortality and significant long-term heart failure risk. ASNC imaging guidelines and ACC/AHA appropriateness criteria for MPI SPECT rely on QPS/QGS quantitative output as the primary trigger for invasive evaluation in intermediate-probability CAD — the patient population where adversarial injection has the highest clinical yield, as these are patients who are borderline candidates for angiography and where a falsely normal AI perfusion report definitively tips the decision toward medical management over invasive evaluation.
What NRC and Agreement State regulatory obligations apply to AI-assisted nuclear medicine dosimetry?
NRC 10 CFR Part 35 (Medical Use of Byproduct Material) establishes the regulatory framework for radiopharmaceutical administration, including dosimetry requirements for therapeutic radiopharmaceuticals administered under 10 CFR 35.396 (Y-90 microsphere brachytherapy for hepatic radioembolization), 10 CFR 35.390 (other therapeutic radiopharmaceuticals requiring individualized dosimetry), and 10 CFR 35.300 (unsealed byproduct material requiring written directive). The 39 Agreement States — states operating radiation control programs under NRC agreement — implement equivalent regulations through state-specific versions of 10 CFR Part 35. 10 CFR 35.40 requires written directives for therapeutic radiopharmaceutical administrations specifying the total administered activity; when AI dosimetry software calculates the administered activity for each Lu-177 therapy cycle, the AI output is the direct input to the written directive that constitutes the official NRC regulatory record.
Adversarial manipulation of AI dosimetry outputs therefore constitutes a potential NRC medical event under 10 CFR 35.3045, which requires reporting to NRC when the administered dose to a patient differs from the prescribed dose by specified thresholds — or when the administered dose causes unintended radiation to a tissue or organ exceeding 50 rem (0.5 Sv) effective dose. The NRC reporting obligation links the adversarial injection attack consequence directly to federal regulatory reporting requirements that impose investigation, root cause analysis, and corrective action obligations on the licensed nuclear medicine facility. AI dosimetry platform vendors operating under FDA 510(k) clearances (MIM SurePlan K180468) must address NRC Part 35 compliance and medical event risk in their device labeling and cybersecurity documentation; adversarial input integrity is a gap in current 510(k) cybersecurity submissions that is not addressed by DICOM network security controls alone.
Further reading
- Prompt injection in healthcare radiology AI — CT, MRI, and X-ray AI pipeline adversarial surfaces
- Prompt injection in digital pathology and clinical laboratory AI — WSI and lab analyzer AI pipelines
- Prompt injection in clinical trials and pharmaceutical AI — endpoint adjudication and imaging core lab AI
- HIPAA-compliant AI security — §164.312 audit controls for nuclear medicine DICOM pipelines
- Prompt injection scanning API free tier — 10 scans/day, no card required