Somewhere between your doctor's clinical expertise and the diagnosis you receive, there's probably an algorithm. Maybe it's flagging you as a sepsis risk. Maybe it's suggesting which medication to prescribe. Maybe it's calculating whether that shadow on your scan is worth worrying about. And here's the kicker: a lot of this software has never been reviewed by the FDA.

A new viewpoint paper in The Lancet Digital Health by researchers from MIT and Massachusetts General Hospital lays out the regulatory mess surrounding clinical decision support (CDS) software - the digital tools that increasingly shape how healthcare gets delivered. The short version? Everyone knows there's a problem, but nobody wants to be the first to acknowledge it publicly.

The Regulatory Gray Zone Where Your Health Lives

The issue stems from how CDS software got carved out of FDA oversight in the first place. Back in 2016, the 21st Century Cures Act tried to draw a line: if software just helps doctors by presenting information they can independently evaluate, it's not a medical device. If it tells doctors what to do, it probably needs FDA review.

Sounds reasonable. In practice, it's a disaster.

Take sepsis prediction tools. Epic's widely-deployed sepsis model runs in hospitals across the country without FDA clearance, while a competing tool called AWARE went through formal FDA classification as a moderate-to-high risk device. Same basic function, completely different regulatory treatment. And when researchers actually evaluated Epic's model externally, results were... variable.

The paper's authors - including Regina Barzilay, an MIT professor who was named to TIME's 2025 list of most influential people in AI for her work on cancer prediction - argue that health systems are stuck in an awkward position. They know some of their CDS tools probably should be regulated. But with enforcement historically minimal and the rules genuinely unclear, the status quo persists.

The Patient Safety Problem Nobody Wants to Quantify

This isn't just bureaucratic hand-wringing. The stakes are real.

One systematic review found that 50% of contemporary healthcare AI models carried high risk of bias, often due to incomplete datasets or missing demographic information. The VA's mortality prediction models were found to underidentify Black veterans as high-risk compared to White veterans with similar conditions. A widely-used sepsis prediction tool turned out to have poor real-world performance despite broad adoption.

When CDS tools work well, they're genuinely valuable. Johns Hopkins' TREWS sepsis system identified 82% of confirmed sepsis cases early, reducing time-to-antibiotics and improving survival rates. But unlike new drugs or implantable devices, there's no public registry of what algorithms hospitals are running, what data they were trained on, or how well they actually perform.

Three Ideas That Might Actually Help

The paper proposes a refreshingly practical approach centered on what the authors call "radical transparency":

First, public disclosure. Health systems should be required to list what CDS software they're using, especially high-risk tools that influence standard-of-care decisions. Not the proprietary details - just what exists and what it does.

Second, structured dialogue. Get industry and the FDA actually talking about which products fall where, before someone gets hurt and lawyers get involved. The current approach of hoping nobody notices isn't sustainable.

Third, update the guidance. The FDA released revised CDS guidance in January 2026, but it still doesn't address AI-enabled products specifically - a glaring omission given that over 1,250 AI-enabled medical devices have been authorized for marketing in the US.

The Bottom Line

We're in a transition period where healthcare AI is moving faster than the rules governing it. That's not unusual for emerging technology. What is unusual is the direct patient safety implications.

The solution isn't necessarily more regulation - it's clearer regulation. When doctors are using algorithms to make life-and-death decisions, everyone involved should at least agree on which ones require oversight. Right now, that's genuinely unclear, and the people running these systems have learned that asking for clarification might create problems they'd rather avoid.

This paper makes the case that avoiding the question indefinitely isn't an option. With AI capabilities expanding rapidly and healthcare systems increasingly dependent on automated decision support, the gap between what's regulated and what probably should be will only grow. Better to address it now, while we can still have a conversation about it, than after something goes seriously wrong.

References

• Corso, M.M., Kim, P.T., Loufek, B.T., Lamb, L.R., & Barzilay, R. (2025). Bridging the gap: aligning clinical decision support regulation with clinical practice in the era of artificial intelligence. The Lancet Digital Health. DOI: 10.1016/j.landig.2025.100964
• Sutton, R.T., et al. (2020). An overview of clinical decision support systems: benefits, risks, and strategies for success. npj Digital Medicine, 3, 17. PMC7005290
• AHRQ Patient Safety Network. Clinical Decision Support Systems. PSNet Primer
• FDA. Artificial Intelligence-Enabled Device Software Functions Guidance. FDA Media

Disclaimer: This blog post is a simplified summary of published research for educational purposes. The accompanying illustration is artistic and does not depict actual model architectures, data, or experimental results. Always refer to the original paper for technical details.