Securing deep learning models with differential privacy for cardiovascular disease prediction - UTU Research Portal

A1 Refereed original research article in a scientific journal

Securing deep learning models with differential privacy for cardiovascular disease prediction

Authors: Orabe, Zoher; Vasankari, Antti; Pahikkala, Tapio; Kaisti, Matti; Airola, Antti

Publisher: Elsevier BV

Publication year: 2026

Journal: Biomedical Signal Processing and Control

Article number: 108502

Volume: 112

Issue: Part C

ISSN: 1746-8094

eISSN: 1746-8108

DOI: https://doi.org/10.1016/j.bspc.2025.108502

Web address : https://doi.org/10.1016/j.bspc.2025.108502

Self-archived copy’s web address: https://research.utu.fi/converis/portal/detail/Publication/500354499

Abstract

This study investigates how differential privacy (DP) can enhance data confidentiality in deep learning models for predicting cardiovascular diseases (CVDs) using electrocardiography (ECG) data collected from various hospitals. We evaluated the privacy–utility trade-off by analyzing model performance under different privacy budgets (ϵ) across different model architectures, including the high-capacity ResNet with squeeze-and-excitation (ResNet-SE), transformer-based model, and two simple baselines: logistic regression (LR) and multilayer perceptrons (MLP). The original ResNet-SE model, with 8.81 million parameters, showed substantial performance degradation under DP with macro- and micro-average AUCs decreasing from 0.90 and 0.92 to 0.79 and 0.82 at ϵ=10. By reducing the model size by 98.4% to 142,934 parameters, we achieved a better balance between accuracy and privacy, with macro- and micro-average AUCs of 0.87 and 0.89, only 0.03 lower than its non-private performance. The transformer-based model showed weaker robustness to DP, with a macro- and micro-average AUCs dropping from 0.88 and 0.91 to 0.64 and 0.73, while LR and MLP baselines trained on ECG handcrafted features achieved low performance even without privacy. The effect of training with DP varied across classes, having only minimal impact on the four largest classes (AUC reduction ≤ 0.01), but more substantial performance decreases were observed for many of the smaller classes (e.g. 0.10 drop for a condition with a 1.19% class size, and a drop of 0.28 for condition with class size of 3.10%). Overall, our study demonstrates the positive effect of reducing model complexity for improving privacy-utility trade-off for predicting CVDs.

Downloadable publication

This is an electronic reprint of the original article.
This reprint may differ from the original in pagination and typographic detail. Please cite the original version.

1-s2.0-S1746809425010134-main.pdf

Funding information in the publication:
This work has been supported by Research Council of Finland (grant 358868).