Artificial intelligence as a medical device in radiology: ethical and regulatory issues in Europe and the United States

Worldwide interest in artificial intelligence (AI) applications is growing rapidly. In medicine, devices based on machine/deep learning have proliferated, especially for image analysis, presaging new significant challenges for the utility of AI in healthcare. This inevitably raises numerous legal and ethical questions. In this paper we analyse the state of AI regulation in the context of medical device development, and strategies to make AI applications safe and useful in the future. We analyse the legal framework regulating medical devices and data protection in Europe and in the United States, assessing developments that are currently taking place. The European Union (EU) is reforming these fields with new legislation (General Data Protection Regulation [GDPR], Cybersecurity Directive, Medical Devices Regulation, In Vitro Diagnostic Medical Device Regulation). This reform is gradual, but it has now made its first impact, with the GDPR and the Cybersecurity Directive having taken effect in May, 2018. As regards the United States (U.S.), the regulatory scene is predominantly controlled by the Food and Drug Administration. This paper considers issues of accountability, both legal and ethical. The processes of medical device decision-making are largely unpredictable, therefore holding the creators accountable for it clearly raises concerns. There is a lot that can be done in order to regulate AI applications. If this is done properly and timely, the potentiality of AI based technology, in radiology as well as in other fields, will be invaluable.Teaching Points center dot AI applications are medical devices supporting detection/diagnosis, work-flow, cost-effectiveness.center dot Regulations for safety, privacy protection, and ethical use of sensitive information are needed.center dot EU and U.S. have different approaches for approving and regulating new medical devices.center dot EU laws consider cyberattacks, incidents (notification and minimisation), and service continuity.center dot U.S. laws ask for opt-in data processing and use as well as for clear consumer consent.