Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
The first quarter of 2026 marks a pivotal "Transfer of Trust" in healthcare technology. On January 6, 2026, the FDA released two landmark final guidance documents that intentionally narrowed and reduced federal oversight of AI-enabled clinical tools and certain wearables. Simultaneously, the Health Sector Coordinating Council (HSCC) has introduced a new cybersecurity framework to fill the resulting governance vacuum. For leadership, this shift means the legal and ethical "burden of proof" for AI safety has moved from federal regulators to the C-suite and state-level jurisdictions.
The Regulatory Pivot: FDA’s "Silicon Valley" Strategy
In early January 2026, FDA Commissioner Marty Makary announced a strategic shift to "move at the speed of Silicon Valley" by reducing "red tape" for digital health products.
The FDA now exempts Clinical Decision Support (CDS) software from medical device regulation even when it provides a single, clinically appropriate recommendation, provided the underlying logic is a "glass box" that clinicians can independently review. Additionally, low-risk wearables tracking metrics like blood pressure and blood glucose, as long as they are using non-invasive sensing and are not intended to guide clinical action, are now classified as non-medical "wellness" products, provided the vendor avoids specific diagnostic or treatment claims.
While this accelerates time-to-market, it creates a shift in governance. Device makers now face other regulations, such as state-level AI laws (California’s AB 489 and Texas’s TRAIGA) that mandate strict transparency and disclosure. In the near term it may appear easier to enter the market if a device is no longer an FDA-regulated medical device, but it likely means other regulations and laws will have to be understood and met.
When AI "Hallucinates" or Is Hunted
Parallel to this deregulation, research published in Nature Communications reveals that medical large language models (LLMs) are increasingly vulnerable to sophisticated "adversarial attacks" that could benefit from this reduced oversight.
Through the use of prompt injection and training data poisoning, malicious actors can impact and manipulate the AI model. And once a poisoned model is operational, it can perform perfectly on standard medical benchmarks while secretly generating dangerous recommendations - such as dropping vaccine advice from 100% to 4% - when triggered by a specific keyword.
These models provide "convincing justifications" and thus make erroneous outputs seem plausible, making it nearly impossible for non-experts to detect malicious manipulation.
The HSCC 2026 Framework: A New Road Map for Accountability
To bridge the governance gap, the Health Sector Coordinating Council (HSCC) has released its 2026 AI Cybersecurity Guidance series, focusing on a few critical workstreams:
- AI Bill of Materials (AIBOM): A "nutrition label" for algorithms that provides transparency into training data, sources of bias, and model provenance.
- AI Governance Maturity Model: A framework including a five-level autonomy scale to help organizations align the degree of human oversight with the inherent risk of the AI tool.
- Secure-by-Design Principles: Guidance for embedding security at the start of the AI lifecycle to defend against model poisoning and drift exploitation.
Conclusion
Given the hype (and pressure) most of us feel to adopt AI, it must by treated as high-risk that requires continuous monitoring. This is not the place to ‘set it and forget it.’ Make sure there is a knowledgeable human in the loop for all clinical related decisions - AI can assist, but must not replace human judgement. This can be achieved by establishing verification layers across your organization.
It’s been repeated multiple times - but cyber security is patient safety. As the FDA steps back to allow the "AI revolution" to proceed, healthcare leaders must step forward. Success will be defined by those who adopt proactive governance to manage the sophisticated, adversarial risks that federal oversight no longer covers.
Contact Vidya at: [email protected]