Securing deep learning models with differential privacy for cardiovascular disease prediction



Orabe, Zoher; Vasankari, Antti; Pahikkala, Tapio; Kaisti, Matti; Airola, Antti

PublisherElsevier BV

2026

 Biomedical Signal Processing and Control

108502

112

Part C

1746-8094

1746-8108

DOIhttps://doi.org/10.1016/j.bspc.2025.108502

https://doi.org/10.1016/j.bspc.2025.108502

https://research.utu.fi/converis/portal/detail/Publication/500354499


This study investigates how differential privacy (DP) can enhance data confidentiality in deep learning models for predicting cardiovascular diseases (CVDs) using electrocardiography (ECG) data collected from various hospitals. We evaluated the privacy–utility trade-off by analyzing model performance under different privacy budgets (ϵ) across different model architectures, including the high-capacity ResNet with squeeze-and-excitation (ResNet-SE), transformer-based model, and two simple baselines: logistic regression (LR) and multilayer perceptrons (MLP). The original ResNet-SE model, with 8.81 million parameters, showed substantial performance degradation under DP with macro- and micro-average AUCs decreasing from 0.90 and 0.92 to 0.79 and 0.82 at ϵ=10. By reducing the model size by 98.4% to 142,934 parameters, we achieved a better balance between accuracy and privacy, with macro- and micro-average AUCs of 0.87 and 0.89, only 0.03 lower than its non-private performance. The transformer-based model showed weaker robustness to DP, with a macro- and micro-average AUCs dropping from 0.88 and 0.91 to 0.64 and 0.73, while LR and MLP baselines trained on ECG handcrafted features achieved low performance even without privacy. The effect of training with DP varied across classes, having only minimal impact on the four largest classes (AUC reduction ≤ 0.01), but more substantial performance decreases were observed for many of the smaller classes (e.g. 0.10 drop for a condition with a 1.19% class size, and a drop of 0.28 for condition with class size of 3.10%). Overall, our study demonstrates the positive effect of reducing model complexity for improving privacy-utility trade-off for predicting CVDs.


This work has been supported by Research Council of Finland (grant 358868).


Last updated on 16/10/2025 11:08:30 AM