Diabetic retinopathy AI · Glaucoma progression AI · OCT analysis AI · AMD monitoring AI

Prompt injection in ophthalmology AI

Ophthalmic AI achieved a historic regulatory milestone in April 2018 when the FDA granted De Novo authorization DEN170001 to IDx-DR — the first AI diagnostic device in history to receive FDA authorization to make a diagnostic finding without a clinician reviewing the image. IDx-DR analyzes fundus photographs of the retina to detect diabetic retinopathy, and its authorization empowered primary care physicians with no ophthalmology training to perform diabetic eye disease screening by photographing the patient’s retina and submitting the image to the AI for an autonomous diagnostic output. This regulatory precedent — an AI that makes a diagnostic decision without mandatory human review — represents the highest-stakes adversarial injection surface in the medical AI landscape: an adversarial perturbation that causes IDx-DR to output a “negative for diabetic retinopathy” finding for a retinal photograph showing sight-threatening retinopathy will result in a patient with progressive retinal disease being incorrectly reassured and not referred to an ophthalmologist, with potential progression to vision loss before the next annual screening. Diabetic retinopathy is the leading cause of new blindness in working-age US adults, affecting an estimated 7.7 million Americans with diagnosed diabetic retinopathy and another 29 million diabetic patients at risk who require regular screening. The stakes of AI screening failure are not operational disruption — they are irreversible vision loss. Topcon Medical Systems, whose SureSight AI and Topcon AI Retinal Image Analysis platform are deployed in primary care and diabetes management clinics, operates a cloud-based fundus photograph AI analysis service architecturally similar to IDx-DR: the primary care practice photographs the patient, the image is transmitted to Topcon’s backend AI, and the AI output returns an actionable screening result to the practice. Heidelberg Engineering’s SPECTRALIS imaging platform, the most widely deployed OCT system in academic ophthalmology and retina subspecialty practices, incorporates AI-assisted layer segmentation that processes OCT B-scan images to quantify retinal nerve fiber layer (RNFL) thickness for glaucoma monitoring, drusen volume for AMD progression tracking, and central subfield thickness for diabetic macular edema (DME) assessment. Google DeepMind has published clinical validation of a retinal AI system (deployed in partnership with Moorfields Eye Hospital, the largest ophthalmology hospital in Europe) that detects and grades retinal pathology from fundus photographs and OCT images across more than 50 ophthalmic conditions simultaneously. Optos ultra-widefield fundus imaging AI, deployed by Optomed, Optos (a Nikon company), and OptoVue, extends AI analysis to ultra-widefield retinal images that capture peripheral retinal pathology beyond the 45-degree field of standard fundus cameras. In every pipeline, the common architectural element is a retinal or ophthalmic image — a fundus photograph, an OCT B-scan, a visual field test result image, or an anterior segment photograph — submitted to an AI model whose output determines whether a patient is referred for urgent ophthalmologic intervention, continued in routine screening, or cleared for an extended screening interval. The adversarial injection surface at that decision boundary is, in clinical consequence terms, among the most dangerous in applied AI.

TL;DR

IDx-DR, Topcon AI, Heidelberg SPECTRALIS AI, Google DeepMind retinal AI, and Optos ultra-widefield AI — process fundus photographs, OCT B-scan series, visual field result images, and anterior segment images. Adversarially crafted images can cause AI to clear sight-threatening diabetic retinopathy, miss glaucomatous RNFL thinning, suppress AMD progression alerts, and pass fraudulent teleophthalmology screening results — at thresholds of 50 for autonomous diagnostic AI inputs, 50 for OCT glaucoma progression, 55 for AMD monitoring, and 55 for teleophthalmology screening. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in ophthalmology AI pipelines

1. Diabetic retinopathy screening AI bypass (IDx-DR, Topcon AI, Google DeepMind retinal AI)

IDx-DR’s clinical workflow begins with the practice acquiring two fundus photographs of each eye using a Topcon NW400 non-mydriatic fundus camera (the specific camera model validated in the FDA De Novo submission), exporting the JPEG images from the camera, and uploading them through the IDx-DR software interface to the cloud-based AI inference backend. The AI analyzes the fundus photograph pixel content against its training on diabetic retinopathy grades — from mild non-proliferative retinopathy (NPDR) through severe NPDR to proliferative diabetic retinopathy (PDR) — and returns either “More than mild diabetic retinopathy detected, refer to eye care professional” or “Negative for more than mild diabetic retinopathy, rescreen in 12 months.” The binary, action-oriented output format was specifically designed for the autonomous diagnostic use case where no clinician reviews the image before the result is communicated to the patient.

The adversarial attack against IDx-DR targets the fundus photograph JPEG at the upload boundary — the point at which the camera-exported image enters the IDx-DR software upload workflow. An adversary with access to the image processing pipeline between the camera export and the IDx-DR upload — at a compromised practice workstation, a tampered imaging middleware, or a man-in-the-middle attack on the image transmission API — can apply adversarial pixel perturbations to the fundus photograph that cause IDx-DR to output a negative screening result for an image that shows diabetic retinopathy above the “more than mild” threshold. The adversarial perturbation is imperceptible to a human viewer: the modified fundus photograph appears identical to the original retinal image, showing the same retinal vasculature, optic disc, and macula detail that a trained ophthalmologist would use for clinical assessment. The AI, operating on a pixel representation processed through its convolutional feature extractor, classifies the adversarially modified image differently from the original. IDx-DR’s De Novo authorization was granted on the basis of its validated sensitivity (87.2%) and specificity (90.7%) on clean validation datasets; the FDA’s static validation framework evaluated performance on unperturbed photographs and does not characterize performance on adversarially perturbed inputs. Topcon AI and Google DeepMind’s retinal AI share this validation gap — their published clinical validation studies evaluated performance on standard clinical fundus photograph datasets, not on datasets containing adversarially perturbed images.

The clinical consequence of adversarial diabetic retinopathy screening bypass is well-documented through the non-adversarial literature on screening gaps: patients with proliferative diabetic retinopathy who do not receive timely referral for vitreoretinal surgery (vitrectomy, panretinal photocoagulation) have high rates of progression to tractional retinal detachment and vitreous hemorrhage, both sight-threatening conditions. Ophthalmology malpractice claims for missed diabetic retinopathy — historically arising from human screening failures — now include documented cases where AI-assisted screening results influenced the decision not to refer, establishing the clinical liability chain from adversarial AI failure to patient harm. ADA Standards of Medical Care in Diabetes require annual dilated eye exams for all patients with type 1 diabetes (starting 5 years after diagnosis) and type 2 diabetes (starting at diagnosis), generating an annual screening demand of approximately 30 million examinations that AI autonomous screening is explicitly positioned to address in rural and underserved communities where ophthalmologist access is limited — the same communities where adversarial injection detection infrastructure is least likely to be independently implemented.

2. OCT-based glaucoma progression AI injection (Heidelberg SPECTRALIS AI, Zeiss Cirrus AI, Optovue AngioVue AI)

Optical coherence tomography (OCT) provides micron-resolution cross-sectional imaging of retinal tissue layers, and AI-assisted analysis of OCT B-scan images has become the standard of care for glaucoma progression monitoring in ophthalmology practices and academic medical centers. Heidelberg Engineering’s SPECTRALIS AI, running within the SPECTRALIS imaging and analysis system deployed in more than 10,000 ophthalmology practices worldwide, processes peripapillary RNFL thickness maps — circular OCT scans centered on the optic nerve head — and generates RNFL thickness sector values (global, temporal, superior, nasal, inferior, temporal-superior-inferior-nasal-temporal sectors) that the AI compares against the normative database to classify each sector as within normal limits, borderline, or outside normal limits. The AI progression analysis module compares serial RNFL measurements across examination dates to detect statistically significant RNFL thinning that indicates progressive glaucomatous damage — the key clinical decision that determines whether a glaucoma patient’s current intraocular pressure target is controlling disease or whether treatment escalation (additional medications, selective laser trabeculoplasty, or filtration surgery) is indicated. Zeiss CIRRUS HD-OCT AI and Optovue AngioVue AI perform equivalent RNFL progression analysis, with Zeiss’s Guided Progression Analysis (GPA) providing a widely-used progression detection framework that ophthalmologists in academic centers and private practice rely on for treatment escalation decisions.

The adversarial attack against OCT glaucoma progression AI targets the OCT B-scan image export from the imaging device at the DICOM or proprietary format export boundary. Adversarial perturbations applied to the OCT B-scan image content — operating on the high-contrast OCT speckle pattern and layer boundary reflectance characteristics specific to retinal OCT imaging — can cause the SPECTRALIS AI or Zeiss Cirrus AI to over-report RNFL thickness (masking progressive thinning) or to classify RNFL sector values as within normal limits when the underlying OCT shows pathological thinning consistent with moderate or advanced glaucoma. The clinical consequence of adversarial OCT progression suppression is failure to escalate glaucoma treatment in a patient with progressive optic nerve damage — allowing intraocular pressure to continue damaging retinal ganglion cells at a rate that will progress the patient from moderate to advanced glaucoma and ultimately to severe visual field loss. Unlike diabetic retinopathy where surgical intervention can restore function, glaucomatous retinal ganglion cell loss is irreversible: neurons lost cannot be replaced, making early progression detection the sole clinical lever for preventing blindness. Glaucoma malpractice claims based on inadequate monitoring and failure to escalate treatment have resulted in multi-million dollar verdicts in multiple US jurisdictions; the integration of AI progression analysis into the monitoring decision chain creates a product liability dimension alongside the clinical negligence analysis when adversarial injection is demonstrated.

3. Age-related macular degeneration AI monitoring injection (Notal Vision Home OCT AI, Optos AI, Optovue AMD AI)

Age-related macular degeneration is the leading cause of severe vision loss in Americans over 50, affecting approximately 11 million people in the United States. The transition from dry AMD (geographic atrophy, drusen accumulation) to wet AMD (choroidal neovascularization, CNV) triggers sight-threatening subretinal fluid accumulation that can be arrested by anti-VEGF injections (Eylea, Lucentis, Beovu, Vabysmo) if detected and treated within weeks of onset — creating an AI monitoring use case with high stakes for timely detection. Notal Vision’s Home OCT device, an FDA-authorized home OCT imaging system that patients use daily to self-scan their macular OCT, transmits OCT B-scan images to Notal Vision’s cloud-based AI analysis platform that detects subretinal fluid onset and alerts the treating retinal specialist. Optos ultra-widefield AI detects peripheral CNV and AMD lesions not visible in standard fundus field imaging. Optovue’s AngioVue OCT-A AI analyzes OCT angiography images — flow-sensitive OCT scans that visualize retinal vasculature without fluorescein dye injection — to detect CNV lesion growth and treatment response at follow-up visits.

The adversarial attack against AMD monitoring AI targets the OCT B-scan image at the home imaging device upload boundary (Notal Vision) or at the clinical imaging export boundary (Optos, Optovue). Adversarial perturbations can cause the home OCT AI to suppress subretinal fluid detection signals in B-scans showing active wet AMD conversion — preventing the automated alert that would trigger urgent retinal specialist referral — or to generate false positive fluid signals in dry AMD B-scans, generating unnecessary urgent referrals that overwhelm retinal specialist clinic capacity and erode patient trust in the monitoring system. The financial stakes of AMD AI monitoring extend beyond malpractice liability: anti-VEGF injections cost $2,000–$8,000 per injection, and the treatment burden for active CNV (monthly or bimonthly injections for 1–3 years) creates a financial incentive landscape where adversarial manipulation of AMD activity status could serve insurance fraud purposes (suppressing AMD activity to avoid coverage obligations for anti-VEGF therapy) or fraudulent billing purposes (generating false AMD activity findings to support injection claims). Medicare Part B reimbursement for Eylea and Lucentis injections exceeds $1 billion annually; the anti-VEGF injection fraud risk is an established OIG enforcement priority.

4. Teleophthalmology and remote screening AI bypass (EyePACS, 1DocWay, Retinal AI in telehealth platforms)

Teleophthalmology screening programs have expanded dramatically since 2020, driven by rural healthcare access gaps, COVID-19 disruption of in-person ophthalmology visits, and the success of AI-assisted autonomous screening demonstrated by IDx-DR’s clinical deployment. EyePACS, the teleophthalmology platform used in the California Safety Net and Federally Qualified Health Center networks for diabetic retinopathy screening, operates a store-and-forward model in which fundus photographs captured at primary care clinics are transmitted to a reading center where remote ophthalmologists review AI-assisted annotations before issuing screening results. 1DocWay, Truscreen, and multiple state Medicaid teleophthalmology programs operate similar architectures where AI pre-processing assists human graders or, in fully autonomous implementations, replaces human graders with AI decision outputs. Retinal AI modules embedded in telemedicine platforms (Teladoc Health, MDLive, and platform-specific integrations) have extended AI-assisted retinal screening to consumer telehealth contexts where patients use smartphone fundus camera attachments — Peek Vision Retinal Imager, iExaminer by Welch Allyn — to acquire self-captured retinal images submitted for AI analysis.

The adversarial attack against teleophthalmology screening AI targets the fundus image at the most accessible attack boundary in the entire ophthalmic AI chain: the network transmission from the primary care site or patient device to the cloud-based AI analysis endpoint. Teleophthalmology images travel over standard HTTPS transport from clinic workstations, EHR integration APIs, and consumer smartphone apps; the network transmission path lacks the physical access controls that protect images acquired and processed within a hospital imaging department. A man-in-the-middle attack on the image upload API — feasible at poorly secured clinic network boundaries or through malicious software on the imaging workstation — can adversarially perturb fundus photograph images in transit before they reach the AI analysis backend. The consequence of adversarial bypass in community-based teleophthalmology screening is population-level: EyePACS serves hundreds of thousands of diabetes patients annually in high-risk communities; a systematic adversarial bypass affecting the fundus image transmission pipeline could suppress retinopathy detection across an entire primary care network. CMS reimbursement for teleophthalmology diabetic retinopathy screening (CPT 92227, 92228) has been formally established since 2021, creating an insurance billing infrastructure around teleophthalmology AI that makes adversarial result manipulation financially actionable under FCA anti-fraud provisions.

Integration: ophthalmology AI image ingestion with Glyphward pre-scan

The Glyphward scan gate belongs at the image ingestion point in each ophthalmic AI pipeline — before the fundus photograph, OCT B-scan, ultra-widefield image, or anterior segment photograph is passed to the AI analysis engine. The async pattern below handles all four ophthalmic AI contexts through a shared scan_ophthalmic_ai_image function with context-specific thresholds and structured audit output suitable for HIPAA §164.312 and FDA SaMD Cybersecurity Guidance evidence generation.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Per-context thresholds reflecting ophthalmic AI patient-safety severity
DR_SCREENING_THRESHOLD      = 50  # IDx-DR / Topcon AI / Google DeepMind retinal AI
OCT_GLAUCOMA_THRESHOLD      = 50  # Heidelberg SPECTRALIS AI / Zeiss CIRRUS AI
AMD_MONITORING_THRESHOLD    = 55  # Notal Vision Home OCT AI / Optos AI
TELEOPHTHALMOLOGY_THRESHOLD = 55  # EyePACS / 1DocWay / telehealth retinal AI


class OphthalmicAIContext(Enum):
    DR_SCREENING      = "dr_screening"      # threshold 50
    OCT_GLAUCOMA      = "oct_glaucoma"      # threshold 50
    AMD_MONITORING    = "amd_monitoring"    # threshold 55
    TELEOPHTHALMOLOGY = "teleophthalmology" # threshold 55


_CONTEXT_THRESHOLDS: dict[OphthalmicAIContext, int] = {
    OphthalmicAIContext.DR_SCREENING:      DR_SCREENING_THRESHOLD,
    OphthalmicAIContext.OCT_GLAUCOMA:      OCT_GLAUCOMA_THRESHOLD,
    OphthalmicAIContext.AMD_MONITORING:    AMD_MONITORING_THRESHOLD,
    OphthalmicAIContext.TELEOPHTHALMOLOGY: TELEOPHTHALMOLOGY_THRESHOLD,
}


class AdversarialOphthalmicAIImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in an
    ophthalmic AI input image above the context-specific threshold.

    Attributes:
        scan_id: Glyphward scan identifier for the audit record.
        score: Adversarial signal score (0-100).
        context: The OphthalmicAIContext in which detection occurred.
        flagged_region: Optional dict describing the pixel region with the signal.
    """

    def __init__(
        self,
        scan_id: str,
        score: int,
        context: OphthalmicAIContext,
        flagged_region: dict | None = None,
    ) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial ophthalmic AI image detected: "
            f"context={context.value} score={score} scan_id={scan_id}"
        )


async def scan_ophthalmic_ai_image(
    image_path: Path,
    context: OphthalmicAIContext,
    patient_id_hash: str,
    study_uid: str,
    facility_npi: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan an ophthalmic AI input image for adversarial pixel content.

    Args:
        image_path: Absolute path to the fundus/OCT/anterior-segment image.
        context: OphthalmicAIContext enum value identifying the AI pipeline.
        patient_id_hash: SHA-256 hash of patient MRN (not the MRN itself — HIPAA).
        study_uid: DICOM Study Instance UID or imaging study identifier.
        facility_npi: Facility or provider NPI for audit correlation.
        client: Shared httpx.AsyncClient for connection reuse.

    Returns:
        Glyphward scan result dict: scan_id, score, flagged_region, modality.

    Raises:
        AdversarialOphthalmicAIImageError: if score exceeds context threshold.
        httpx.HTTPStatusError: on Glyphward API errors (fail-closed: re-raise).
    """
    threshold = _CONTEXT_THRESHOLDS[context]
    image_bytes = image_path.read_bytes()
    image_hash = hashlib.sha256(image_bytes).hexdigest()

    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"ophthalmic:{context.value}:{study_uid}",
        "metadata": {
            "patient_id_hash": patient_id_hash,
            "study_uid": study_uid,
            "facility_npi": facility_npi,
            "image_sha256": image_hash,
        },
    }

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=5.0,
    )
    resp.raise_for_status()
    result = resp.json()

    await write_ophthalmic_scan_audit(
        image_hash=image_hash,
        scan_id=result["scan_id"],
        score=result["score"],
        context=context,
        threshold=threshold,
        patient_id_hash=patient_id_hash,
        study_uid=study_uid,
        facility_npi=facility_npi,
        flagged=result["score"] > threshold,
    )

    if result["score"] > threshold:
        raise AdversarialOphthalmicAIImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            flagged_region=result.get("flagged_region"),
        )

    return result


async def write_ophthalmic_scan_audit(
    *,
    image_hash: str,
    scan_id: str,
    score: int,
    context: OphthalmicAIContext,
    threshold: int,
    patient_id_hash: str,
    study_uid: str,
    facility_npi: str,
    flagged: bool,
) -> None:
    """Append structured JSON audit record to ophthalmic AI scan log.

    Satisfies HIPAA §164.312(b) audit controls and FDA SaMD Cybersecurity
    Guidance adversarial input detection evidence requirements.
    patient_id_hash stores SHA-256 of MRN — not PHI itself.
    """
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": threshold,
        "flagged": flagged,
        "patient_id_hash": patient_id_hash,
        "study_uid": study_uid,
        "facility_npi": facility_npi,
    }
    audit_path = Path("/var/log/glyphward/ophthalmic_ai_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")


async def process_ophthalmic_image_batch(
    images: list[tuple[Path, OphthalmicAIContext, str, str, str]],
) -> list[dict]:
    """Process a batch of (path, context, patient_hash, study_uid, facility_npi) tuples."""
    async with httpx.AsyncClient() as client:
        tasks = [
            scan_ophthalmic_ai_image(
                image_path=path,
                context=ctx,
                patient_id_hash=pid,
                study_uid=uid,
                facility_npi=npi,
                client=client,
            )
            for path, ctx, pid, uid, npi in images
        ]
        results = []
        for coro in asyncio.as_completed(tasks):
            try:
                results.append(await coro)
            except AdversarialOphthalmicAIImageError as exc:
                results.append({
                    "status": "quarantined",
                    "context": exc.context.value,
                    "scan_id": exc.scan_id,
                    "score": exc.score,
                    "flagged_region": exc.flagged_region,
                })
        return results

Deploy scan_ophthalmic_ai_image at the image ingestion boundary of each ophthalmic AI pipeline: before the fundus photograph reaches IDx-DR, Topcon AI, or Google DeepMind retinal AI; before the OCT B-scan reaches Heidelberg SPECTRALIS AI or Zeiss CIRRUS GPA; before the home OCT image reaches Notal Vision cloud AI; and before the teleophthalmology fundus photograph enters EyePACS or any telehealth retinal AI API. The patient_id_hash pattern (SHA-256 of MRN) preserves the clinical audit chain without storing ePHI. Get early access

Coverage matrix

Tool	Diabetic retinopathy screening AI bypass	OCT glaucoma progression injection	AMD monitoring AI injection	Teleophthalmology screening bypass
Lakera Guard	No (text only)	No (text only)	No (text only)	No (text only)
LLM Guard	No (text only)	No (text only)	No (text only)	No (text only)
Azure Prompt Shields	No (text only)	No (text only)	No (text only)	No (text only)
Platform-native (IDx-DR, Topcon AI, Heidelberg SPECTRALIS AI, Notal Vision, EyePACS)	No adversarial injection detection	No adversarial injection detection	No adversarial injection detection	No adversarial injection detection
Glyphward	Yes — scans fundus photograph bytes before DR screening AI; threshold 50; study UID + facility NPI logged	Yes — scans OCT B-scan bytes before RNFL progression AI; threshold 50; DICOM study UID logged	Yes — scans macular OCT bytes before AMD activity AI; threshold 55; patient hash logged	Yes — scans teleophthalmology fundus bytes before remote screening AI; threshold 55; facility NPI logged

Related questions

What makes IDx-DR uniquely high-risk for adversarial injection compared to other FDA-authorized AI diagnostic tools?

IDx-DR received FDA De Novo authorization DEN170001 in April 2018 as the first AI device authorized to make a diagnostic finding autonomous of clinician image review — meaning the AI output is communicated directly to the patient (via the clinician’s practice) as a screening result without a trained ophthalmologist or optometrist reviewing the retinal photograph. This is categorically different from most FDA-cleared AI/ML medical devices, which function as Computer-Aided Detection (CADe) or Computer-Aided Diagnosis (CADx) tools that assist a trained clinician reviewer rather than replacing the review step. For a standard CADe AI tool, an adversarially suppressed finding is an error that the reviewing clinician may catch; for IDx-DR in its autonomous screening deployment, an adversarially suppressed retinopathy finding generates a negative screening result that no ophthalmologist reviews before the patient is told their retina is healthy.

The regulatory significance of this distinction is that FDA’s De Novo authorization for IDx-DR was contingent on the AI demonstrating sufficient standalone performance (sensitivity 87.2%, specificity 90.7% in the pivotal trial) to justify autonomous operation. That performance characterization was on clean validation images, not on adversarially perturbed images. FDA’s October 2023 SaMD Cybersecurity Guidance acknowledges adversarial inputs as a cybersecurity threat category for AI/ML SaMD, but the Cybersecurity Guidance was published five years after IDx-DR’s De Novo authorization; the original De Novo submission predates the adversarial ML literature’s maturation to clinical AI contexts. Pre-deployment adversarial scanning at the IDx-DR image upload boundary is the runtime control that fills this validation gap.

How does OCT adversarial injection affect glaucoma treatment escalation decisions in clinical practice?

Glaucoma treatment escalation — the clinical decision to intensify therapy by adding a second or third topical medication, performing selective laser trabeculoplasty, or recommending filtration surgery — is driven by evidence of progressive structural damage on OCT (RNFL thinning) correlated with functional progression on visual field testing (Humphrey Visual Field). Heidelberg SPECTRALIS GPA (Guided Progression Analysis), Zeiss CIRRUS Change Analysis, and equivalent progression analysis modules compare serial OCT measurements to detect statistically significant change. A treating ophthalmologist who sees the AI progression analysis report showing “no significant change” across three or four examination dates will typically maintain the current treatment regimen; a report showing “possible progression” or “likely progression” triggers treatment review and escalation discussion. The adversarial attack against OCT progression AI is specifically designed to generate “no significant change” reports for serial examinations where the underlying OCT data shows progressive RNFL thinning — suppressing the progression signal that should trigger treatment escalation.

The clinical consequence chain from adversarially suppressed OCT progression signal to irreversible vision loss has a characteristic time course: glaucoma progression from moderate to advanced visual field loss (MD deterioration from −6 dB to −12 dB) at untreated intraocular pressure typically requires 3–8 years; at controlled pressure with inadequate treatment, the rate is slower but the destination is the same. An adversarial injection attack that suppresses progression signals across four annual OCT examinations creates a 4-year window of inadequate treatment that is unlikely to be reversed when eventually detected, because the retinal ganglion cells lost during that period cannot be regenerated. This irreversibility distinguishes glaucoma progression AI adversarial injection from most enterprise AI adversarial attacks, where discovered errors are operationally disruptive but not permanent.

What is the adversarial attack surface in home OCT AI for AMD monitoring (Notal Vision)?

Notal Vision’s ForeseeHome device and its successor Home OCT system represent the first consumer home OCT platform authorized by FDA for medical monitoring. Patients with intermediate AMD who are at high risk for conversion to wet AMD use the device daily at home to acquire macular OCT scans, which are automatically transmitted over internet connectivity to Notal Vision’s cloud analysis platform. The AI detects subretinal fluid onset — the earliest sign of CNV conversion — and generates an alert to the treating retinal specialist when a fluid signal is detected, triggering urgent examination and treatment initiation. The clinical value is early detection: vision outcomes for wet AMD treated within days of CNV conversion are significantly better than outcomes for treatment initiated weeks later when symptoms become obvious.

The adversarial attack surface in home OCT AI is the internet transmission path from the home device to Notal Vision’s cloud backend. Unlike hospital PACS systems where image transmission occurs within controlled clinical network environments, home OCT images travel over residential broadband connections where HTTPS transport security is the sole protection against man-in-the-middle attacks. Adversarial perturbations applied to the OCT image data at the transmission boundary — before the image reaches Notal Vision’s AI analysis endpoint — could suppress subretinal fluid detection signals in B-scans showing early CNV conversion, preventing the alert that would trigger urgent referral. The consequence is delayed anti-VEGF treatment initiation, with visual acuity outcomes at 6 months significantly worse than for eyes treated within the first week of CNV onset. FDA’s home OCT authorization is predicated on device and transmission integrity; adversarial scanning at the cloud-side image intake API provides the integrity verification that FDA’s transmission security framework does not explicitly address.

How do EU MDR and EU AI Act requirements apply to ophthalmic AI products sold in Europe?

Ophthalmic AI products sold in the European Union as medical devices are regulated under the EU Medical Device Regulation (MDR) 2017/745, which replaced the Medical Device Directive in May 2021. Fundus photograph AI analysis tools and OCT AI analysis modules that make diagnostic claims are classified as medical devices; the classification depends on the specific intended purpose and the degree of autonomous diagnostic function. IDx-DR-class autonomous screening AI with no mandatory human review step is likely classified as Class IIa or Class IIb under MDR Rule 11 (AI/software that affects clinical decisions), requiring Notified Body audit and technical file review rather than self-declaration. Heidelberg SPECTRALIS AI operates as a software accessory to a cleared hardware device, a classification category with specific MDR provisions under Article 2(2) accessories definition.

The EU AI Act, applying from August 2026, classifies medical device AI systems (as defined by MDR/IVDR) as Annex III high-risk AI systems requiring conformity assessment, risk management documentation, and transparency obligations. EU AI Act Article 15 requires high-risk AI providers to implement technical robustness and accuracy measures that include resilience to attempts to alter the system’s behavior through adversarial inputs — the specific compliance gap that Glyphward’s pre-inference adversarial scanning fills. General Data Protection Regulation (GDPR) Article 22 provides data subject rights regarding automated decision-making, including the right to obtain human review of automated decisions with legal or similarly significant effects; autonomous ophthalmic AI screening decisions that determine whether a patient is referred for potentially sight-saving treatment trigger Article 22(3)’s human review requirement in EU deployments, creating a compliance architecture where adversarial injection detection is part of the audit trail for Article 22 human review escalation.

What is the difference between adversarial injection and normal AI performance variation in ophthalmic AI?

Ophthalmic AI systems demonstrate natural performance variation arising from image quality factors — pupil dilation status, media opacity (cataracts, vitreous floaters), patient fixation compliance, imaging artifact (flash reflections, motion blur) — that are well-documented in the clinical AI literature and managed through image quality grading algorithms that most ophthalmic AI platforms implement as a pre-classification step. IDx-DR, for example, returns an “image gradable” quality assessment before the retinopathy classification; Heidelberg SPECTRALIS RNFL measurement quality is assessed through signal strength index (SSI) thresholding. These quality checks are designed to reject images with natural image quality problems rather than adversarial perturbations, and they operate on image quality metrics (noise, focus, contrast) that differ from adversarial perturbation characteristics.

Adversarial perturbations are specifically designed to evade the quality-gating mechanisms that ophthalmic AI uses to filter low-quality natural images. A well-crafted adversarial perturbation will pass the IDx-DR quality grading check because the perturbation is designed to minimize its impact on the quality metrics the grading algorithm uses, while maximizing its impact on the retinopathy classification model’s feature representation. This is the essential asymmetry: natural image quality degradation is detected by quality checks because it degrades the same features that quality metrics measure; adversarial perturbations are designed to degrade AI classification without degrading quality metrics, making quality-based image rejection an ineffective defense. Glyphward’s adversarial scanning operates on the pixel-level adversarial signal patterns that are distinct from natural image quality variation — detecting the specific perturbation signatures that quality checks are not designed to identify.