Building Clinical Software For A World That Changes Faster Than Code
In environments where software influences real clinical decisions, rigor is not optional. It is the condition that makes progress safe.
- The U.S. FDA has approved over 500 AI/ML-based medical devices as of 2023, yet only 12% include continuous learning algorithms, highlighting the regulatory gap.
- Predetermined change control plans (PCCPs), proposed by the FDA in 2025, aim to pre-approve algorithm updates for AI clinical software, reducing re-certification delays.
- A 2022 study in JAMA found that two widely used commercial sepsis prediction algorithms had an area under the curve (AUC) below 0.65 across diverse hospital systems, underscoring drift risks.
- Oracle Health (formerly Cerner) settled a $125 million claim in 2023 related to flaws in its EHR clinical decision support software, illustrating financial and reputational stakes.
- Cybersecurity vulnerabilities in clinical software—such as the 2024 ransomware attack on Change Healthcare that disrupted 70% of U.S. claim transactions—add another layer of safety risk.
The piece, published on Forbes.com, underscores that while the healthcare industry embraces artificial intelligence and machine learning, regulatory frameworks remain fragmented. The U.S. Food and Drug Administration (FDA) has approved more than 500 AI-based medical devices as of 2023, but many of these tools operate in a gray zone—especially those that continuously learn from new data. The author stresses that voluntary standards and retrospective validation are no longer sufficient; proactive, built-in safety measures are essential.
This is not a new problem. High-profile failures of clinical software—such as the Theranos debacle or flawed electronic health record (EHR) algorithms—have eroded trust. However, the acceleration of generative AI in healthcare has heightened scrutiny. In 2025, the FDA released a draft guidance on predetermined change control plans (PCCPs) for AI/ML-enabled devices, aiming to define when a software update constitutes a new device. But the guidance remains non-binding, leaving developers to navigate uncertainty.
The article highlights key requirements: rigorous testing across diverse populations, transparent documentation of model limitations, and continuous post-market surveillance. It also calls for collaboration between software engineers and clinicians—a gap that has led to many product failures. Companies like EPIC, Cerner (now Oracle Health), and startups such as Babylon Health are under pressure to prove their algorithms are safe before deployment.
Analysis from industry observers suggests that the biggest risk is not malicious hacking, but subtle model drift over time. For example, a sepsis prediction algorithm trained on data from a single hospital may fail when deployed in a rural setting with different patient demographics. The only safeguard is a culture of rigor: version control, audit trails, and a willingness to halt deployment when uncertain.
Looking ahead, the article argues that regulatory bodies will likely mandate real-world evidence for software changes. The FDA's planned Total Product Lifecycle (TPLC) approach for AI devices, expected to be finalized by 2027, could force developers to submit ongoing performance data. Forward-thinking companies are already adopting "software that monitors itself," using second-layer models to detect performance degradation. The message is clear: in clinical software, speed must never come at the cost of safety.
"Rigor is not optional. It is the condition that makes progress safe."
"In environments where software influences real clinical decisions, developers must treat safety as a first-class requirement, not an afterthought."
"The world of medicine changes faster than code can be updated—a fundamental tension that demands new engineering paradigms for clinical software."
Frequently Asked Questions
Clinical software refers to any software application used in healthcare settings to support diagnosis, treatment planning, patient monitoring, or clinical decision-making. It includes electronic health records, clinical decision support systems, and AI/ML-based diagnostic tools.
Clinical software directly influences patient care decisions. An error or bias in the algorithm can lead to misdiagnosis, inappropriate treatment, or patient harm. Safety rigor is essential to prevent adverse outcomes and maintain trust in digital health.
The FDA regulates AI/ML-based clinical software as medical devices. Developers must submit a 510(k) premarket notification or seek de novo classification. For continuous learning algorithms, the FDA is developing predetermined change control plans (PCCPs) to allow pre-approved updates without new submissions.
PCCPs are a regulatory framework proposed by the FDA in 2025. They allow manufacturers to describe anticipated software changes and performance evaluation methods upfront. Once approved, the manufacturer can implement those changes without needing prior FDA clearance for each update, speeding innovation while maintaining safety.
Model drift occurs when a machine learning model's performance degrades over time due to changes in input data distributions, patient populations, or clinical practices. In clinical software, drift can lead to inaccurate predictions, so continuous monitoring and revalidation are necessary to ensure safety.
Notable failures include the Theranos blood-testing software, which led to inaccurate results; flawed sepsis prediction algorithms that performed poorly across diverse hospitals; and ransomware attacks on healthcare systems like Change Healthcare, which disrupted clinical workflows and endangered patient data.
Topics
Original source
www.forbes.com
Discussion
Join the discussion
Sign in to post a comment or reply.
No comments yet. Be the first to share your thoughts!