OAR auto-segmentation AI · Dose plan optimization AI · Patient-specific QA AI · Adaptive RT image registration AI
Prompt injection in radiation therapy treatment planning AI
Radiation therapy treatment planning has become one of the most AI-intensive workflows in clinical medicine, with machine learning systems now involved at every stage of the planning chain — from initial CT and MRI image analysis for organ delineation through final patient-specific quality assurance before treatment delivery. Varian Medical Systems, a Siemens Healthineers subsidiary with approximately 60% of the global radiotherapy market, has integrated AI into its Ethos adaptive therapy platform, Eclipse treatment planning system (TPS), and ARIA oncology information system. Elekta AB, with approximately 25% of the global market, deploys Atlas-based automatic segmentation and the Monaco Monte Carlo AI dose optimization engine. RaySearch Laboratories’ RayStation TPS integrates AI segmentation, robust optimization, and biological dose model AI across multi-vendor linear accelerator platforms. Brainlab Elements Smart Segmentation received FDA 510(k) clearance K190563 for AI-based auto-contouring of organs at risk from CT and MRI planning scans. The combined penetration of these AI-assisted planning tools means that for most of the roughly 700,000 patients who receive external beam radiotherapy annually in the United States alone, at least one AI system will influence a safety-critical planning parameter before treatment begins.
The adversarial injection surface in radiation therapy AI is both specific and severe. Treatment planning AI systems process medical images — CT planning scans represented as Hounsfield Unit density maps rendered as grayscale images, MRI sequences rendered as T1 or T2 contrast images, cone-beam CT (CBCT) images acquired at the treatment unit for daily position verification — and these images enter AI models as pixel inputs at multiple stages of the planning workflow. At each boundary where a medical image is submitted to an AI model for segmentation, optimization, quality assurance analysis, or image registration, the AI operates on pixel values whose integrity is assumed but not verified. Adversarial pixel perturbations applied to CT planning images, CBCT daily imaging datasets, or portal dosimetry comparison images — perturbations imperceptible to the human eye but specifically crafted to manipulate the AI’s output — can corrupt the planning workflow in ways that lead to incorrect radiation dose delivery to cancer patients. The clinical consequences span from radiation necrosis of the brainstem from excess dose above the 54 Gy tolerance threshold, to geographic miss of the tumor target from isodose lines shifted below the prescription dose, to systematic dose errors propagating through a patient’s full treatment course when a quality assurance check is falsely passed. FDA 510(k) clearances for TPS AI components, AAPM Task Group 218 (PSQA standards), and FDA’s 2021 AI/ML-based Software as a Medical Device guidance collectively define the regulatory landscape for these AI systems, but none requires inference-time adversarial pixel scanning at AI model input boundaries.
TL;DR
Varian Ethos AI, Elekta Atlas segmentation, RayStation AI, Brainlab Elements Smart Segmentation, Sun Nuclear SunCHECK Patient AI, IBA Dosimetry myQA, and ViewRay MRIdian AI — process CT and MRI planning images, dose distribution renderings, portal dosimetry comparison images, and cone-beam CT registration scans. Adversarially crafted images can cause AI to expand or shrink organ-at-risk contours leading to incorrect dose constraints, shift isodose coverage below tumor prescription producing geographic miss, pass failing patient-specific QA plans causing systematic dose errors, and mis-register daily CBCT to planning CT resulting in dose delivery to adjacent healthy structures — at thresholds of 45 for OAR auto-segmentation AI, 45 for dose plan optimization AI, 45 for PSQA portal dosimetry AI, and 50 for adaptive RT CBCT image registration AI. Free tier — 10 scans/day, no card required.
Four adversarial injection surfaces in radiation therapy treatment planning AI
1. CT/MRI organ-at-risk (OAR) auto-segmentation AI injection (Varian Ethos AI, Elekta Atlas segmentation, RayStation AI, Brainlab Elements Smart Segmentation FDA 510(k) K190563)
Organ-at-risk auto-segmentation is the first major AI step in the external beam radiotherapy planning workflow. After a patient undergoes a CT simulation scan — a dedicated treatment planning CT scan acquired with the patient in treatment position — AI segmentation tools automatically delineate critical normal tissue structures from the CT density data. Varian Ethos AI performs real-time auto-contouring of OARs including parotid glands, spinal cord, brainstem, mandible, and esophagus as part of the adaptive therapy workflow, generating contours on the daily CT reconstruction that feed directly into the adaptive dose plan calculation. Elekta’s Atlas-based segmentation uses a library of expert-contoured CT datasets to drive AI delineation across the same OAR set. RayStation AI segmentation, integrated into the RaySearch Laboratories TPS, applies deep learning segmentation models for multi-structure OAR delineation from CT and MRI planning images, with validated models for brain, thorax, abdomen, and pelvis OAR sets. Brainlab Elements Smart Segmentation, cleared under FDA 510(k) K190563, provides AI auto-contouring of OARs including kidneys, bowel, rectum, bladder, and spinal cord from CT and MRI planning scans. In each system, the AI delineates the OAR boundaries, and the resulting contour defines the dose constraint that the plan optimizer must satisfy — for example, a maximum brainstem dose of 54 Gy or a spinal cord maximum of 45 Gy based on the QUANTEC organ tolerance dose-volume relationships.
The adversarial attack against OAR segmentation AI targets the CT or MRI planning image at the point it is submitted to the segmentation AI model. Adversarial pixel perturbations applied to the CT planning image — modifications to specific pixel intensity values within the image while maintaining the visual appearance of a normal CT scan — can cause the AI segmentation model to systematically expand or shrink the predicted OAR contour boundaries. A contour expansion attack on brainstem segmentation causes the AI to delineate a brainstem volume that extends beyond the true brainstem boundary; the dose optimizer, constraining dose to the AI-generated (expanded) contour, applies the 54 Gy brainstem maximum to a region that includes non-brainstem tissue, leaving the actual brainstem partially unconstrained and potentially receiving doses above the tolerance threshold during the optimized plan. The inverse contour shrinkage attack on parotid gland segmentation causes the AI to delineate a smaller-than-actual parotid volume, reducing the effective dose constraint coverage for parotid sparing and allowing higher parotid dose in the optimized plan than the treating physician intended — with chronic xerostomia (severe dry mouth) as the clinical consequence for head and neck cancer patients. At Glyphward’s threshold of 45 for OAR segmentation AI contexts, adversarial perturbations that achieve a segmentation manipulation score above this level are quarantined before the CT image is submitted to the Varian Ethos, Elekta, or RayStation segmentation model, and the scan event is recorded for physics review under AAPM TG-218 quality assurance documentation requirements.
2. Dose plan optimization AI injection (Varian Eclipse IMRT/VMAT optimization AI FDA 510(k) K210421, Elekta Monaco Monte Carlo AI, RayStation Robust Optimization AI)
After OAR and tumor target volume (PTV, GTV, CTV) contours are finalized — either by AI auto-segmentation with physician review or by manual physician delineation — the treatment planning system’s dose optimization engine calculates the beam angles, fluence maps, and monitor unit weightings that deliver the prescribed dose to the tumor target while minimizing dose to surrounding OARs. Varian Eclipse’s IMRT and VMAT optimization engine, cleared under FDA 510(k) K210421, uses AI-assisted beam arrangement and fluence optimization to generate dose plans for intensity-modulated and volumetric arc therapy treatments, reading the CT Hounsfield Unit density map as a grayscale image to calculate radiation transport through tissue. Elekta Monaco TPS applies Monte Carlo dose calculation AI that models photon and electron radiation transport through the CT density map with statistical precision, generating dose distributions used for Monaco’s biological optimization objectives. RayStation’s Robust Optimization AI accounts for geometric uncertainties in patient positioning by optimizing across a set of shifted CT scenarios, requiring the AI to evaluate dose distributions across multiple perturbed CT image sets simultaneously.
The adversarial attack against dose optimization AI targets the CT density map image submitted to the dose calculation engine — the same CT planning scan that is used for OAR segmentation, but processed by the dose optimizer as a material density input for radiation transport modeling. Adversarial pixel perturbations applied to the CT image at the dose calculation input boundary can cause the AI-assisted optimization engine to calculate incorrect tissue attenuation along specific beam paths, shifting isodose line positions in the calculated dose distribution. When isodose lines are shifted adversarially, the 95% isodose surface (D95) that defines PTV coverage can appear adequate in the plan visualization — the 95% isodose line appears to encompass the PTV — while the actual radiation dose delivered to the tumor when the perturbed CT density values are corrected for true tissue composition falls below the prescription dose. This geometric miss — delivering a systematically lower tumor dose than prescribed across an entire treatment course — represents one of the most serious dosimetric errors in radiotherapy, reducing the probability of tumor control without the treating team’s awareness that the prescription was not met. For stereotactic body radiotherapy (SBRT) and stereotactic radiosurgery (SRS) plans where dose gradients are steep and the difference between tumor control and normal tissue toxicity is measured in millimeters, adversarial isodose shifting at the CT density input boundary creates clinically unacceptable dose delivery uncertainty. The Glyphward scan gate positioned before CT image submission to the Eclipse, Monaco, or RayStation dose optimizer at threshold 45 detects adversarially perturbed CT density images before they influence fluence optimization.
3. Patient-specific QA (PSQA) portal dosimetry AI injection (Sun Nuclear SunCHECK Patient AI FDA 510(k) K183082, IBA Dosimetry myQA, PTW OCTAVIUS AI)
Patient-specific quality assurance is the final verification step before a radiation therapy treatment plan is approved for patient treatment delivery. PSQA verifies that the treatment plan can actually be delivered by the linear accelerator with the calculated dose distribution — checking that the physical MLC leaf positions, gantry angles, and monitor units of an IMRT or VMAT plan translate to a measured dose distribution that matches the calculated dose distribution within clinical tolerance limits. Sun Nuclear’s SunCHECK Patient AI, cleared under FDA 510(k) K183082, is the market-leading PSQA software platform used by hundreds of radiation oncology departments; it ingests portal dosimetry images — dose images acquired by the linear accelerator’s electronic portal imaging device (EPID) during a verification delivery — and compares them to the planned dose distribution using gamma analysis. AAPM Task Group 218 establishes the clinical standard for PSQA: a 3%/3mm gamma criterion (3% dose difference and 3mm distance-to-agreement) with a passing rate above 90–95% is required before a plan can be approved for treatment. IBA Dosimetry’s myQA and PTW OCTAVIUS AI similarly apply AI-assisted gamma analysis to portal dosimetry images for pass/fail PSQA determination.
The adversarial attack against PSQA portal dosimetry AI targets the portal dose image submitted to the gamma analysis AI. The EPID portal dose image — a 2D array of measured dose values rendered as a grayscale image — is submitted to the SunCHECK, myQA, or OCTAVIUS AI for comparison against the planned dose distribution. Adversarial pixel perturbations applied to the portal dose image can cause the gamma analysis AI to evaluate the perturbed comparison as passing the 3%/3mm criterion when the actual unperturbed portal dose image would fail — meaning the adversarially manipulated image produces a false-pass PSQA result for a plan that has real dosimetric errors. When a treatment plan with real dosimetric errors is approved for patient treatment on the basis of a falsely passed PSQA check, the systematic dose error — which may involve underdosing of the tumor target, overdosing of an OAR, or a fluence delivery artifact — is delivered to the patient across all treatment fractions. For a typical IMRT treatment of 25–35 fractions, a systematic 10% dose delivery error that PSQA was designed to catch represents a total dose discrepancy of several Gray across the full treatment course. The adversarial attack is particularly dangerous because PSQA is the last independent verification before treatment delivery; there is no further checkpoint downstream. Glyphward’s scan at threshold 45 applied to portal dose images before SunCHECK, myQA, or OCTAVIUS AI submission detects adversarially perturbed portal dosimetry images that would otherwise falsely pass PSQA review, with scan records structured for AAPM TG-218 quality management documentation and 21 CFR Part 820 quality system record requirements.
4. Adaptive radiotherapy CBCT image registration AI injection (Varian Ethos Adaptive AI, Elekta Unity MR-Linac, ViewRay MRIdian AI)
Adaptive radiotherapy represents the most AI-intensive segment of the radiation therapy delivery workflow. Before each treatment fraction in an adaptive RT program, the patient undergoes daily imaging at the treatment unit — a cone-beam CT (CBCT) acquired on a conventional linear accelerator like Varian Ethos, or a magnetic resonance image (MRI) acquired on Elekta Unity MR-Linac or ViewRay MRIdian — and AI deformable image registration (DIR) maps the daily image to the original planning CT to detect changes in patient anatomy, tumor position, and OAR position that have occurred since the original plan was created. Varian Ethos Adaptive AI performs online adaptive planning — generating a new optimized dose plan within minutes, during the patient’s treatment appointment, based on the AI-registered daily CBCT — enabling the radiation dose to be conformed to the patient’s anatomy as it changes day to day during the treatment course. Elekta Unity MR-Linac combines a 1.5 Tesla MRI with a linear accelerator, enabling real-time MRI-guided treatment delivery with AI DIR between the daily treatment MRI and the planning MRI. ViewRay MRIdian uses a 0.35 Tesla MRI with a 60Co source array or linear accelerator for MR-guided adaptive radiotherapy with AI-based online re-planning.
The adversarial attack against adaptive RT image registration AI targets the daily CBCT or daily MRI submitted to the AI deformable registration engine. Adversarial pixel perturbations applied to the daily CBCT image can cause the AI DIR model to calculate a deformation vector field that systematically shifts the registered anatomy relative to the planning CT — reporting, for example, that the patient’s prostate has shifted 8mm posteriorly when the actual shift is only 2mm anteriorly. The adaptive plan generated from the adversarially misregistered daily image then directs high-dose radiation to a position displaced from the true tumor location, delivering excess dose to adjacent OARs (rectum or bladder in prostate adaptive RT; bowel in pancreatic adaptive RT) while underdosing the tumor target. For ViewRay MRIdian and Elekta Unity, where real-time MRI enables beam gating — the beam is held until the tumor is within a defined position gate — adversarial registration injection can corrupt the gating boundary definition itself, allowing beam delivery when the tumor is outside the intended position gate. The Glyphward threshold for adaptive RT CBCT registration AI contexts is 50, reflecting the fact that daily CBCT images undergo more preprocessing (scatter correction, noise reduction, Hounsfield Unit calibration) than planning CT images, creating greater benign image variation that the threshold must accommodate while still intercepting adversarial perturbations crafted to shift the DIR output beyond clinically acceptable limits.
Integration: radiation therapy AI image pipeline with Glyphward pre-scan
The Glyphward scan gate belongs at the image ingestion boundary for each radiation therapy AI subsystem — before the CT planning image reaches the OAR segmentation model, before the CT density map enters the dose optimization engine, before the portal dose image is submitted to the PSQA gamma analysis AI, and before the daily CBCT is fed to the adaptive registration engine. The async pattern below handles all four radiotherapy AI contexts through a shared scan_radiotherapy_ai_image function, with physics-calibrated thresholds and structured JSONL audit output compatible with AAPM TG-218 QA records and 21 CFR Part 820 device history record requirements.
import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path
import httpx
GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"
# Per-context thresholds reflecting radiotherapy AI patient-safety severity
OAR_SEGMENTATION_THRESHOLD = 45 # Varian Ethos / Elekta Atlas / RayStation / Brainlab AI
DOSE_OPTIMIZATION_THRESHOLD = 45 # Varian Eclipse / Elekta Monaco / RayStation Robust AI
PSQA_DOSIMETRY_THRESHOLD = 45 # Sun Nuclear SunCHECK / IBA myQA / PTW OCTAVIUS AI
ADAPTIVE_REGISTRATION_THRESHOLD = 50 # Varian Ethos Adaptive / Elekta Unity / ViewRay MRIdian AI
class RadiotherapyAIContext(Enum):
OAR_SEGMENTATION = "oar_segmentation" # threshold 45
DOSE_OPTIMIZATION = "dose_optimization" # threshold 45
PSQA_DOSIMETRY = "psqa_dosimetry" # threshold 45
ADAPTIVE_REGISTRATION = "adaptive_registration" # threshold 50
_CONTEXT_THRESHOLDS: dict[RadiotherapyAIContext, int] = {
RadiotherapyAIContext.OAR_SEGMENTATION: OAR_SEGMENTATION_THRESHOLD,
RadiotherapyAIContext.DOSE_OPTIMIZATION: DOSE_OPTIMIZATION_THRESHOLD,
RadiotherapyAIContext.PSQA_DOSIMETRY: PSQA_DOSIMETRY_THRESHOLD,
RadiotherapyAIContext.ADAPTIVE_REGISTRATION: ADAPTIVE_REGISTRATION_THRESHOLD,
}
class AdversarialRadiotherapyAIImageError(Exception):
"""Raised when Glyphward detects adversarial pixel content in a
radiation therapy AI planning image above the context threshold.
Attributes:
scan_id: Glyphward scan identifier for the audit record.
score: Adversarial signal score (0-100).
context: The RadiotherapyAIContext in which detection occurred.
flagged_region: Optional dict describing the flagged pixel region.
"""
def __init__(
self,
scan_id: str,
score: int,
context: RadiotherapyAIContext,
flagged_region: dict | None = None,
) -> None:
self.scan_id = scan_id
self.score = score
self.context = context
self.flagged_region = flagged_region
super().__init__(
f"Adversarial radiotherapy AI image detected: "
f"context={context.value} score={score} scan_id={scan_id}"
)
async def scan_radiotherapy_ai_image(
image_path: Path,
context: RadiotherapyAIContext,
patient_id_hash: str,
plan_id: str,
fraction_number: int | None,
modality: str,
client: httpx.AsyncClient,
) -> dict:
"""Scan a radiation therapy AI planning image for adversarial pixel content.
Args:
image_path: Absolute path to the CT, MRI, CBCT, or portal dose image.
context: RadiotherapyAIContext enum value identifying the AI pipeline.
patient_id_hash: SHA-256 hash of MRN (not the MRN itself — HIPAA).
plan_id: Treatment plan identifier from the TPS (not PHI).
fraction_number: Treatment fraction number (None for planning images).
modality: Image modality string: 'CT', 'MRI', 'CBCT', 'EPID'.
client: Shared httpx.AsyncClient for connection reuse.
Returns:
Glyphward scan result dict: scan_id, score, flagged_region, modality.
Raises:
AdversarialRadiotherapyAIImageError: if score exceeds context threshold.
httpx.HTTPStatusError: on Glyphward API errors (fail-closed: quarantine image).
"""
threshold = _CONTEXT_THRESHOLDS[context]
image_bytes = image_path.read_bytes()
image_hash = hashlib.sha256(image_bytes).hexdigest()
payload = {
"image": base64.b64encode(image_bytes).decode(),
"source": f"radiotherapy:{context.value}:{modality}:{plan_id}",
"metadata": {
"patient_id_hash": patient_id_hash,
"plan_id": plan_id,
"fraction_number": fraction_number,
"modality": modality,
"image_sha256": image_hash,
},
}
resp = await client.post(
GLYPHWARD_SCAN_URL,
headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
json=payload,
timeout=5.0,
)
resp.raise_for_status()
result = resp.json()
await write_radiotherapy_scan_audit(
image_hash=image_hash,
scan_id=result["scan_id"],
score=result["score"],
context=context,
threshold=threshold,
patient_id_hash=patient_id_hash,
plan_id=plan_id,
fraction_number=fraction_number,
modality=modality,
flagged=result["score"] > threshold,
)
if result["score"] > threshold:
raise AdversarialRadiotherapyAIImageError(
scan_id=result["scan_id"],
score=result["score"],
context=context,
flagged_region=result.get("flagged_region"),
)
return result
async def write_radiotherapy_scan_audit(
*,
image_hash: str,
scan_id: str,
score: int,
context: RadiotherapyAIContext,
threshold: int,
patient_id_hash: str,
plan_id: str,
fraction_number: int | None,
modality: str,
flagged: bool,
) -> None:
"""Append structured JSON audit record to radiotherapy AI scan log.
Satisfies AAPM TG-218 PSQA documentation requirements, HIPAA §164.312(b)
audit controls, and 21 CFR Part 820 device history record requirements.
Hashed patient IDs avoid PHI in the scan log itself.
"""
record = {
"ts": datetime.now(timezone.utc).isoformat(),
"scan_id": scan_id,
"image_sha256": image_hash,
"context": context.value,
"score": score,
"threshold": threshold,
"flagged": flagged,
"patient_id_hash": patient_id_hash,
"plan_id": plan_id,
"fraction_number": fraction_number,
"modality": modality,
}
audit_path = Path("/var/log/glyphward/radiotherapy_ai_scan_audit.jsonl")
audit_path.parent.mkdir(parents=True, exist_ok=True)
with audit_path.open("a") as fh:
fh.write(json.dumps(record) + "\n")
async def process_radiotherapy_image_batch(
images: list[tuple[Path, RadiotherapyAIContext, str, str, int | None, str]],
) -> list[dict]:
"""Process a batch of (path, context, patient_hash, plan_id, fraction, modality) tuples."""
async with httpx.AsyncClient() as client:
tasks = [
scan_radiotherapy_ai_image(
image_path=path,
context=ctx,
patient_id_hash=pid,
plan_id=plan,
fraction_number=frac,
modality=mod,
client=client,
)
for path, ctx, pid, plan, frac, mod in images
]
results = []
for coro in asyncio.as_completed(tasks):
try:
results.append(await coro)
except AdversarialRadiotherapyAIImageError as exc:
results.append({
"status": "quarantined",
"context": exc.context.value,
"scan_id": exc.scan_id,
"score": exc.score,
"flagged_region": exc.flagged_region,
})
return results
Deploy scan_radiotherapy_ai_image at four points in the radiation therapy planning pipeline: before the CT planning image reaches Varian Ethos AI, Elekta Atlas, RayStation AI, or Brainlab Elements segmentation; before the CT density map enters Eclipse IMRT/VMAT, Monaco Monte Carlo, or RayStation Robust Optimization dose calculation; before the portal dose image is submitted to SunCHECK Patient, myQA, or OCTAVIUS gamma analysis; and before the daily CBCT or treatment MRI enters Ethos Adaptive, Unity MR-Linac, or MRIdian deformable registration. Get early access
Related questions
What FDA clearances apply to AI-assisted radiation therapy treatment planning systems?
FDA regulates AI-assisted components of radiation therapy treatment planning systems as Software as a Medical Device (SaMD) under the 510(k) premarket notification pathway, with AI/ML-enabled TPS components classified as Class II medical devices under 21 CFR Part 892 (radiology devices). Brainlab Elements Smart Segmentation received FDA 510(k) clearance K190563 for AI-based organ-at-risk auto-segmentation from CT and MRI planning images. Varian Eclipse AI-assisted planning tools, including the IMRT and VMAT optimization components, hold clearances including K210421 for AI optimization features. Sun Nuclear SunCHECK Patient AI received FDA 510(k) clearance K183082 for its patient-specific QA software with AI-assisted gamma analysis. The overarching regulatory framework for AI in these TPS components is FDA’s 2021 guidance on Artificial Intelligence/Machine Learning-Based Software as a Medical Device, which classifies TPS AI components in the highest-impact AI/ML SaMD categories given their direct influence on radiation dose delivery parameters.
FDA’s 510(k) clearance process for TPS AI evaluates performance on curated test datasets under standard clinical operating conditions — clean CT images, unperturbed portal dose measurements, standard CBCT acquisitions. The adversarial pixel injection attack surface is not evaluated as part of the 510(k) substantial equivalence determination. FDA’s SaMD Cybersecurity Guidance, updated in October 2023, applies to these cleared AI components and requires manufacturers to address adversarial input threats in their cybersecurity risk management plans, but does not mandate specific inference-time adversarial scanning architecture. The AAPM TG-218 report on Measurement Uncertainty and Error Analysis for Patient-Specific QA establishes clinical standards for PSQA, including gamma analysis criteria, but addresses measurement-based uncertainties rather than AI model adversarial input vulnerabilities.
How does adversarial OAR contour manipulation cause brainstem radiation necrosis?
Brainstem radiation necrosis is a catastrophic late effect of radiation therapy to the head and neck, central nervous system, or skull base — occurring when the brainstem receives cumulative radiation dose above its established tolerance threshold. QUANTEC (Quantitative Analysis of Normal Tissue Effects in the Clinic) dose-volume relationships, derived from analysis of thousands of treated patients, establish the brainstem maximum dose tolerance at 54 Gy for conventional fractionation; doses above this threshold carry increasing risk of radiation necrosis, a progressive demyelinating injury that can cause severe neurological deficits including cranial nerve palsies, swallowing dysfunction, ataxia, and death. In head and neck cancer, nasopharyngeal carcinoma, and brain/skull base tumor radiotherapy, the brainstem is the primary dose-limiting OAR — the planning system optimizer is instructed to maintain maximum brainstem dose at or below 54 Gy, and the resulting plan has its beam arrangement, fluence distribution, and dose prescription constrained by this OAR limit.
The adversarial contour manipulation attack exploits the direct mapping between the AI-generated contour boundary and the dose constraint applied by the optimizer. If the AI segmentation model, responding to adversarial perturbations in the CT planning image, generates a brainstem contour that is 4–6 mm smaller than the true anatomical brainstem — a shrinkage within the range of inter-observer contouring variability and therefore not immediately suspicious to a reviewing physician — the optimizer applies its 54 Gy maximum dose constraint to the shrunken contour volume. The optimization result will have the 54 Gy isodose surface conforming tightly to the adversarially shrunken contour, leaving the actual brainstem tissue at the anatomical margin — the tissue beyond the AI’s shrunken contour — receiving doses potentially 10–20 Gy above the 54 Gy tolerance. When this plan is delivered over a 6–7 week treatment course, the cumulative brainstem dose above tolerance creates the biological substrate for delayed radiation necrosis, typically manifesting 6–18 months after treatment completion when the treating team’s post-treatment surveillance may not immediately connect the neurological deterioration to the planning error.
What is the adversarial attack surface difference between Varian Ethos Adaptive AI and conventional IMRT planning AI?
Conventional IMRT planning using Varian Eclipse or RayStation involves a planning workflow where the CT simulation scan is acquired once, OAR and target contours are delineated (with or without AI assistance), and the resulting dose plan is used for the patient’s entire treatment course — typically 25–35 fractions delivered over 5–7 weeks. The AI-assisted planning steps (segmentation, optimization) occur once during treatment planning, and the resulting plan is delivered identically at each fraction with daily position verification but without re-planning. The adversarial attack surface in conventional IMRT planning is bounded to the planning phase; a successfully defended planning CT image eliminates the adversarial risk for the patient’s entire treatment course.
Varian Ethos Adaptive AI changes this attack surface geometry fundamentally. In Ethos adaptive therapy, a daily CBCT is acquired before each fraction, AI deformable image registration maps the daily CBCT to the planning CT, AI auto-segmentation generates daily OAR and target contours on the registered CBCT, and the adaptive AI generates a new optimized dose plan specifically for that day’s anatomy — all within a 15–20 minute workflow at the treatment unit. This means the adversarial attack surface repeats at every treatment fraction: a new CBCT image is submitted to the Ethos adaptive AI pipeline before each of the 25–35 daily treatments. An adversarial actor with access to the CBCT data pathway has a repeated injection opportunity at each fraction rather than a single planning-phase window. Furthermore, the compressed timeline of the Ethos workflow — the adaptive plan must be approved and treatment delivered within the patient’s treatment appointment — reduces the practical opportunity for detailed physics review of the adaptive plan before delivery, increasing the dependence on the AI systems’ own QA outputs. Elekta Unity MR-Linac and ViewRay MRIdian create equivalent repeated-injection surfaces through their daily MRI-based adaptive workflows, with the additional consideration that MRI image artifacts (B1 field inhomogeneities, geometric distortion from susceptibility effects) create an imaging-specific adversarial surface distinct from CT-based adversarial pixel injection.
How does AAPM TG-218 govern PSQA pass/fail criteria and what does adversarial injection mean for TG-218 compliance?
AAPM Task Group 218, published in Medical Physics in 2018, established comprehensive recommendations for patient-specific quality assurance in IMRT and VMAT treatments, defining the gamma analysis criteria for PSQA pass/fail determination and the institutional action thresholds that should trigger physics review. TG-218 recommends a tolerance limit of 95% passing rate for 3%/3mm global gamma analysis as the standard clinical PSQA criterion, with an action limit of 90% — plans below 90% passing rate require physics investigation before treatment delivery. TG-218 also defines a “universal tolerance” concept acknowledging that different treatment techniques, beam energies, and delivery systems have different achievable baseline gamma passing rates, and that PSQA tolerance limits should be calibrated to each institution’s specific combination of TPS, delivery system, and measurement device.
Adversarial injection against PSQA portal dosimetry AI creates a direct TG-218 compliance failure scenario. TG-218 defines the PSQA pass/fail decision as the gating function before treatment delivery; a falsely passed PSQA result obtained through adversarial manipulation of the portal dose image submitted to SunCHECK, myQA, or OCTAVIUS AI results in a treatment plan being approved for delivery on the basis of a fraudulently passed TG-218 criterion. From a regulatory perspective, this creates exposure under FDA’s 21 CFR Part 820 quality system regulation — specifically the requirements for process validation and acceptance activities — and under NRC 10 CFR Part 35 requirements for medical use of byproduct material in facilities using sealed radioactive sources as part of their radiotherapy equipment. For institutions subject to The Joint Commission’s ambulatory health care accreditation with radiation oncology standards, adversarially manipulated PSQA records that led to treatment delivery constitute a clinical quality event requiring Root Cause Analysis under TJC Sentinel Event policy. Glyphward’s JSONL audit output for PSQA scan events is structured to support TG-218 QA record documentation, with image hash, scan_id, plan_id, and fraction_number fields sufficient for correlation to the institution’s treatment delivery records.
What regulatory obligations apply to radiation therapy AI vendors under FDA SaMD cybersecurity guidance and ISO 13485?
FDA’s October 2023 guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” applies to all TPS AI components with 510(k) clearances, including Varian Eclipse AI tools, Brainlab Elements Smart Segmentation, and Sun Nuclear SunCHECK Patient AI. The guidance requires manufacturers to incorporate a Secure Product Development Framework (SPDF) that addresses adversarial input threats within their Software Development Lifecycle, to include cybersecurity risk management as part of their 510(k) or PMA submissions for AI/ML SaMD components, and to maintain post-market cybersecurity surveillance to identify and respond to newly discovered AI cybersecurity vulnerabilities. FDA’s final rule on 21 CFR Part 524B, which took effect in March 2024, requires manufacturers of medical devices with software — including TPS AI components — to maintain a Software Bill of Materials (SBOM) and to disclose known cybersecurity vulnerabilities in their regulatory submissions.
ISO 13485:2016, the international quality management system standard for medical device manufacturers, applies to Varian, Elekta, RaySearch, Brainlab, Sun Nuclear, IBA Dosimetry, and PTW as manufacturers of Class II medical devices. ISO 13485 Section 7.5.6 (Validation of processes for production and service provision) requires manufacturers to validate software used in production — including AI-assisted planning software — under conditions that represent the range of intended use. The adversarial pixel injection attack surface falls within the scope of ISO 13485 validation requirements when the AI software is deployed in conditions where the input image integrity cannot be guaranteed — precisely the clinical deployment context. IEC 62083:2009, the standard for requirements for TPS software, addresses software verification and validation requirements for TPS components. IEC 60601-2-1:2020, which covers particle therapy systems, addresses safety requirements for linear accelerator systems that integrate AI planning tools. Compliance with these standards in the context of adversarial AI input integrity requires runtime scanning of images at AI model input boundaries — the architectural position where Glyphward operates.
Further reading
- Prompt injection in healthcare radiology AI — diagnostic imaging and PACS AI adversarial surfaces
- Prompt injection in digital pathology and clinical laboratory AI — whole slide image and diagnostic AI pipelines
- HIPAA-compliant AI security — §164.312 audit controls for medical imaging AI pipelines
- Prompt injection in clinical trials and pharmaceutical AI — regulatory submission and trial data AI pipelines
- Prompt injection scanning API free tier — 10 scans/day, no card required