category guide

How to Choose AI & Diagnostics Software (SaMD)

May 1, 2026· 12 min read· AI-generated

How to Choose AI & Diagnostics Software (SaMD)

What hospital CIOs, radiology directors, and clinical engineers need to know before committing to an AI algorithm—and why FDA clearance alone is not enough.

What this is and who buys it

Diagnostic AI software—formally called Software as a Medical Device, or SaMD—refers to FDA-authorized algorithms that ingest clinical data (most commonly medical images, ECG waveforms, or EHR data) and return a clinical output: a triage flag, a measurement, a probability score, or, in autonomous systems, an actual diagnosis. The output is the product. There is no physical hardware to inspect, no sterilization cycle to audit, and no calibration sticker to check—which makes procurement feel deceptively straightforward until you're fielding a governance question at a medical staff meeting six months after go-live.

As of December 2025, the FDA had authorized more than 1,300 AI-enabled medical devices since 1995, with 258 cleared in 2025 alone—the highest annual count on record [S1, S2]. Radiology dominates the landscape: 76% of all cleared devices are radiology tools, with stroke triage, lung nodule detection, and breast density assessment among the most common indications [S3]. The buyer universe is correspondingly broad: hospital CIOs and CMIOs evaluating enterprise platforms, radiology and cardiology service-line directors looking to reduce read-queue backlogs, lab directors considering digital pathology automation, and ASC or clinic administrators exploring autonomous screening tools for ophthalmology or dermatology.

What makes this category genuinely different from other capital purchases is the post-market dimension. Unlike a CT scanner, a diagnostic AI algorithm can change—sometimes silently—through software updates. And unlike a reagent kit, its performance characteristics can degrade over time as the patient population it sees drifts from the population it was trained on. Understanding those dynamics before you sign a subscription agreement is arguably more important than anything you'll read in a product brochure.

Key decision factors

Regulatory pathway and cleared indications for use. Approximately 97% of AI/ML medical devices have reached market through the 510(k) pathway, which clears a device by demonstrating substantial equivalence to a predicate—not by requiring it to prove clinical benefit [S3, S9]. That matters at the purchasing stage because a 510(k) clearance is tightly scoped: it covers a specific indication for use, a specific patient population, and often a specific imaging modality or scanner type. A chest-CT lung-nodule algorithm cleared for incidental nodules in adults is not automatically cleared for lung cancer screening CT—even if the images look identical. Procurement officers should request the actual cleared indications for use document and map it against their intended deployment before anything else.

Clinical validation evidence. The 510(k) pathway does not require independent clinical data demonstrating real-world performance. A 2023 scoping review of FDA-authorized AI/ML radiology devices found that fewer than 2% of devices linked to peer-reviewed performance studies, and only 56 had been tested with any human operator in the loop [S3]. That gap creates material procurement risk: a device can be legally marketed while having no published external-site sensitivity/specificity data. Insist on AUC, sensitivity, specificity, PPV, and NPV—computed on a held-out or prospective cohort from sites outside the training set.

Demographic transparency and algorithmic bias. Stratified performance data is the exception rather than the rule. A 2024 analysis of FDA-cleared ML devices found that only 29.2% of submission decision summaries reported both sensitivity and specificity, and just 15.5% provided any demographic breakdown [S4]. An algorithm that performs well on average can still underperform in specific subpopulations—differences in scanner hardware, patient body habitus, skin tone, or disease prevalence can each shift accuracy. If a vendor cannot provide race/ethnicity- and sex-stratified performance tables with sample sizes, treat that as a data gap that requires resolution before contract execution, not after.

Predetermined Change Control Plans (PCCPs). In December 2024, FDA published final guidance allowing manufacturers to pre-specify how an algorithm can be updated post-market—adding training data, adjusting model architecture within defined bounds—without submitting a new 510(k) for each change. This is operationally significant for buyers: if a vendor has an active PCCP, their model can change legally without your knowledge unless you've negotiated notification terms into the contract. Ask specifically whether a PCCP exists, what triggers a model update, and what the vendor's obligation is to inform you and allow local revalidation.

Integration architecture. In one qualitative study, 88% of healthcare decision-makers identified seamless integration with existing IT infrastructure as a major determinant of perceived value [S7]. This is not surprising—an algorithm that adds a step to the radiologist's worklist rather than surfacing results in the worklist will see poor adoption regardless of its clinical accuracy. Confirm DICOM routing, HL7 v2 or FHIR R4 endpoints, EHR (Epic/Cerner/Oracle Health) integration depth, and PACS worklist behavior. Clarify deployment topology: cloud-hosted SaaS introduces data residency and latency considerations that an on-prem deployment avoids, but cloud reduces the local GPU infrastructure burden.

Reimbursement coverage. FDA clearance does not equal payment. CMS has approved reimbursement pathways for approximately 10 AI/ML-enabled devices as of this writing [S5, S6]. Viz.ai's stroke LVO triage software, for example, is eligible for an NTAP (New Technology Add-on Payment) of up to $1,040 per eligible patient under IPPS [S11]. IDx-DR (now LumineticsCore) for autonomous diabetic retinopathy screening has an assigned CPT code (92229) under the Medicare Physician Fee Schedule [S12]. Most other devices have no direct reimbursement pathway, meaning the cost is absorbed as operational overhead. Build the reimbursement picture into your business-case modeling before committing to a subscription.

Pricing model transparency. Research published in npj Digital Medicine in 2026 found that healthcare decision-makers broadly resist opaque, purely usage-based pricing and prefer hybrid models—a predictable base fee combined with variable components denominated in clinically meaningful units such as per-study, per-patient, or per-episode [S7]. A pricing structure tied solely to compute consumption with no cap or floor makes budget forecasting nearly impossible and should be renegotiated. Get 3-year total cost of ownership in writing.

Drift monitoring and local validation. A model trained on data from two academic medical centers in the Northeast will not automatically perform equivalently in a rural critical-access hospital with a different scanner fleet and case mix. Algorithm performance degrades as its operating environment shifts—a phenomenon called dataset drift. Responsible vendors specify a monitoring cadence (quarterly is reasonable) and can provide audit logs of model output over time. If a vendor cannot describe their drift-detection methodology, that is a substantive technical gap, not a contractual nicety.

Cybersecurity posture. Cybersecurity disclosures appeared in only 54.2% of 2024 510(k) decision summaries [S4]. Diagnostic AI platforms that connect to PACS, EHR, and cloud infrastructure present a meaningful attack surface. At minimum, require a Machine-Readable Device Security Document (MDS2), a Software Bill of Materials (SBOM), a current HIPAA Business Associate Agreement, and SOC 2 Type II attestation. Where relevant, ask for a penetration-test summary and adversarial-robustness documentation.

What it costs

List pricing for diagnostic AI software is rarely public, and the market has not yet converged on standard pricing units—you will encounter per-study, per-seat, per-bed, and enterprise-volume models within the same RFP cycle. The ranges below are synthesized from published case studies and vendor RFP data and should be verified against individual quotes.

Entry tier — $15,000–$75,000/year: Single-module SaaS subscription, typically one algorithm (e.g., a single CAD module for a small imaging center). Per-study pricing at $0.50–$2.00/study is common at this tier.
Mid tier — $75,000–$400,000/year: Multi-algorithm platform deployed across a single hospital, including PACS and EHR integration. A department processing 10,000 images/month at $1/image reaches approximately $120,000/year.
Enterprise tier — $400,000–$2M+/year: Health-system licenses spanning multiple service lines and sites. Custom build-and-deploy projects can begin at $300,000 and exceed $1M, particularly at scale or when significant workflow customization is required. Public list pricing at this tier is essentially nonexistent.

Common use cases

The cleared-device landscape is heavily weighted toward imaging, but the category is expanding into waveform analysis, pathology, and embedded EHR decision support. The following contexts represent the highest-volume procurement conversations currently active in U.S. health systems.

Radiology triage and CAD: Stroke large-vessel occlusion (LVO), intracranial hemorrhage, pulmonary embolism, lung nodule detection, and breast density assessment are the most-cleared indication clusters [S3]. The QIH product code alone accounted for over 25% of 2025 clearances [S10].
Cardiology: ECG-based AFib and arrhythmia detection, echocardiography automation, and coronary CT fractional flow reserve (FFR) computation. Cardiology is the second-largest FDA category by device count, at 98 devices [S3].
Autonomous point-of-care screening: Diabetic retinopathy algorithms operating without real-time physician oversight (De Novo pathway) in primary care and endocrinology clinics, reimbursable under CPT 92229 [S12].
Pathology and EHR-embedded decision support: Digital pathology IHC quantification, cervical cytology, and sepsis/deterioration early-warning models embedded in the EHR—this last category is subject to ONC HHS HTI-1 transparency requirements when hosted within certified EHR technology.

Regulatory and compliance

Most diagnostic AI is regulated as FDA Class II SaMD, cleared through the 510(k) pathway. A small number of autonomous diagnostic tools—including the first autonomous diabetic retinopathy system—received clearance via the De Novo pathway, which establishes a new device type and is appropriate when no valid predicate exists. Applicable software lifecycle standards include IEC 62304 (medical device software development and maintenance), IEC 82304-1 (standalone health software), and ISO 14971 (risk management). Cybersecurity compliance is governed by FDA's 2023 premarket cybersecurity guidance and AAMI TIR57.

HIPAA compliance for SaMD that processes PHI requires a signed Business Associate Agreement and evidence of controls aligned with the HIPAA Security Rule. Facilities running AI tools embedded within ONC-certified EHR technology are also subject to the HHS HTI-1 final rule, which mandates reporting on predictive model performance, fairness methodology, and external validation for qualifying decision-support interventions. For post-market algorithm management, FDA's Good Machine Learning Practice (GMLP) principles and the December 2024 PCCP final guidance together define the current best-practice framework. Unlike physical devices, SaMD has no hardware calibration cycle, but algorithm performance monitoring should occur at minimum quarterly, with retraining cadence formally documented.

Service, training, and total cost of ownership

Implementation for a PACS- or EHR-integrated diagnostic AI platform typically requires 60 to 180 days from contract execution to clinical go-live. That timeline covers IT security review, DICOM routing configuration, HL7 or FHIR integration build-out, and the shadow-mode parallel-run period during which algorithm outputs are compared against standard-of-care reads without influencing clinical workflow. Plan for vendor-led training covering radiologists or clinicians, imaging technologists, and IT/biomed staff—but recognize that governance training (who reviews flagged cases, what the escalation protocol is, how disagreements between the AI and the human are documented) is equally important and often overlooked until the first adverse event.

Ongoing cost of ownership extends well beyond the license fee. Cloud SaaS contracts typically include an uptime SLA of 99.5% or better and vendor-side maintenance, but you should budget 15–25% of annual license cost for internal oversight: governance committee time, local performance audits, IT incident response, and any retraining or custom-integration work triggered by model updates. On-prem deployments that require local GPU appliances carry an additional hardware refresh cycle of approximately 4–6 years. The useful clinical lifespan of a specific algorithm version before substantive retraining or replacement is typically 2–5 years, though the subscription relationship is usually evergreen. Ask for itemized 3-year TCO projections that separate license, integration, monitoring infrastructure, and governance overhead.

Red flags to watch for

Vendors describing their product as "FDA approved" when the device has only been cleared through 510(k) are either misinformed or imprecise—either way, probe further. FDA approval and 510(k) clearance are legally distinct, and the distinction matters when the device is used in a manner that exceeds its cleared indications.

Absence of published, peer-reviewed external validation is a serious gap. A scoping review found that fewer than 2% of FDA-authorized AI/ML devices between 1995 and 2023 linked to peer-reviewed performance studies, and only 3.6% reported race or ethnicity of validation cohorts [S3]. If a vendor's "clinical evidence" package consists only of the FDA decision summary, that is the floor, not the ceiling.

A vendor that cannot describe—or refuses to disclose—their model update process, training data demographics, or failure-mode analysis should prompt significant concern. In a category where algorithm drift can silently degrade patient-safety-relevant outputs, opacity is not a competitive advantage; it is a governance liability. Similarly, the absence of SOC 2 Type II, HIPAA BAA, or MDS2 documentation for any cloud-connected diagnostic tool is a disqualifying condition, not a negotiating point.

Finally, ECRI named AI the number-one health technology hazard for 2025, citing automation bias—clinicians over-relying on algorithm outputs and under-applying independent judgment—as the primary mechanism of harm [S8]. A vendor that cannot articulate how their product is designed to support, rather than replace, clinical decision-making has not thought seriously about post-market safety.

Questions to ask vendors

Provide the 510(k) or De Novo number, cleared indications for use, predicate device, and product code—and confirm that our intended deployment stays within those indications without modification.
Share stratified validation data: sensitivity, specificity, AUC, PPV, and NPV broken down by sex, age band, race/ethnicity, scanner vendor, and care setting, with sample sizes and external (non-training) site representation.
Do you have an FDA-approved Predetermined Change Control Plan? What triggers a model update, how and when are customers notified, and can we validate locally before the update is applied to our production environment?
Describe your integration architecture: DICOM routing, HL7/FHIR endpoints, EHR and PACS compatibility, per-study latency SLA, and the on-prem vs. cloud deployment model with data residency specifics.
Provide an itemized 3-year total cost of ownership covering license, integration services, GPU or server requirements, retraining, and governance support—and specify whether pricing is per-study, per-seat, per-bed, or enterprise-volume.
What CMS reimbursement mechanisms (NTAP, CPT, MPFS) or commercial-payer coverage currently apply to this device, and can you provide documented case studies from comparable facilities showing realized reimbursement?

Alternatives

The first structural choice is between best-of-breed point solutions and multi-algorithm orchestration platforms. A single-algorithm deployment is easier to pilot and validate, but as algorithm count grows, the integration overhead—separate DICOM routing rules, separate vendor SLAs, separate governance processes—compounds quickly. Orchestration platforms aggregate multiple algorithms under one integration layer and one contract, adding an estimated $50,000–$150,000/year in platform cost but reducing IT burden substantially when you are running five or more algorithms across a service line.

SaaS subscription versus perpetual license is largely a moot question in this market: most diagnostic AI vendors have moved to subscription-only pricing. SaaS reduces upfront capital, keeps maintenance with the vendor, and simplifies updates—but cumulative multi-year subscription costs can exceed a one-time license fee, and you have no asset to depreciate. On-prem GPU appliances remain capitalizable and may be appropriate in data-sensitive environments, though they require local IT capacity for maintenance. "Refurbished" is not a meaningful category for SaMD itself; however, older certified algorithm versions may occasionally be available at reduced cost, which is generally not advisable given drift risk and the absence of ongoing support.

Institutions with significant research infrastructure sometimes consider building in-house models. Without FDA clearance, in-house models are limited to research or non-clinical decision support contexts; clinical deployment typically requires a cleared product. For independent evaluation before purchase or during post-market monitoring, ECRI offers medical device testing and health technology assessment services that provide unbiased performance benchmarking outside the vendor relationship [S8].

Sources

Browse vendors in

AI & Diagnostics Software

MedSource publishes neutral guidance. We do not accept payment from vendors to influence the content of articles. AI-generated articles are reviewed for factual accuracy but cited sources should be the primary reference for procurement decisions.