“Doing no harm” in the digital age: navigating tradeoffs and operational considerations for privacy-preserving deep learning in medicine

Ariel Yuhan Ong; Kyra L Rosen; Margaret Sui; Joseph C Kvedar

doi:10.1038/s41746-026-02549-x

editorial

. 2026 Mar 11;9:207. doi: 10.1038/s41746-026-02549-x

“Doing no harm” in the digital age: navigating tradeoffs and operational considerations for privacy-preserving deep learning in medicine

Ariel Yuhan Ong ^1,^2,^3,^✉, Kyra L Rosen ⁴, Margaret Sui ^4,⁵, Joseph C Kvedar ⁴

PMCID: PMC12979696 PMID: 41814060

Abstract

As artificial intelligence (AI) is increasingly deployed in clinical care, protecting patient privacy has become a central challenge. Mohammadi et al. examine the emerging use of privacy-enhancing technologies in medical deep learning, and look at how formal privacy guarantees interact with model performance and fairness. Their findings reveal variability in performance-privacy tradeoffs across data types and tasks, and highlight the risk that privacy constraints may widen existing disparities if not carefully evaluated. Beyond performance, privacy and equity should also be considered as equal pillars of trustworthy medical AI.

Subject terms: Health care, Mathematics and computing

Introduction

As artificial intelligence (AI) transitions from proof-of-concept models trained in academic silos to real-world deployment, the need to examine operational considerations beyond performance becomes paramount. AI can inadvertently encode traces of the patient data on which they were trained¹ – data which healthcare systems are legally and ethically obligated to protect². Preserving this is fundamental to maintaining patient trust and the social license for data-driven healthcare^3,4, particularly as health data contains personal identifiers, histories, and uniquely sensitive information that can have profound implications for the individual if they are exposed⁵. Emerging threats from malicious actors such as model inversion attacks – attempts to reconstruct sensitive attributes of the data used to train a model – threaten this balance^6,7.

What is differential privacy?

Differential privacy is a cybersecurity method that has been positioned as one of the leading approaches to address privacy concerns⁸. It describes a mathematical framework designed to preserve the anonymity of individual data contributors⁹. The fundamental concept is straightforward – a model’s outputs should not change significantly whether or not any single individual’s data contributed to the training process. It works by adding carefully calibrated “noise” (or random mathematical variation) to limit how much information about any data point can be learned, whilst still allowing the model to learn meaningful patterns. However, as with any powerful tool, its value depends on how it is deployed and evaluated in the context of clinical priorities.

Mohammadi et al¹⁰. present a scoping review on differential privacy in medical deep learning, which included 74 eligible studies from four databases searched to 1 March 2025. The authors examine how differential privacy-based methods mitigate privacy attacks, and how this influences model performance and fairness in clinical applications. This is particularly pertinent because such mitigation strategies can alter the model learning process, with consequences for downstream utility (performance) and reliability¹¹.

The privacy-utility tradeoff reporting gap

Mathematically, the strength of a differential privacy guarantee is governed by the “privacy budget”, which is typically denoted by parameters such as ε (epsilon). This is a metric quantifying how much a single individual’s data influences the model’s outputs⁹. Lower values of ε confer a stronger guarantee of privacy by injecting more noise into the learning process while risking substantial performance degradation, while larger ε relaxes privacy but improves model utility. This privacy-utility tradeoff is a core challenge for differential privacy, and contextualizing this in clinically meaningful terms is essential for transparent evaluation.

Mohammadi et al. reported that studies involving more complex data and tasks (e.g. histopathology, dermoscopy, and speech) described larger performance drops at high privacy budgets compared to the baseline (prior to applying differential privacy), suggesting that differential privacy might be more readily deployed in some clinical domains than others that would require additional privacy-enhancing techniques to address¹⁰. However, in general, the included studies differed in how they reported performance under different privacy budgets (e.g. AUROC vs sensitivity), with many reporting performance metrics at one ε level alone, limiting direct comparability across specialties, data modalities, and tasks¹⁰. This makes it challenging to determine whether observed performance declines reflect inherent limitations of differential privacy in certain domains, or simply differences in study design and reporting.

This reporting gap is also analogous to evaluating a “dose-response relationship” for drugs, where reporting accuracy at one privacy budget is akin to reporting a drug’s effect at a single dose, and does not suffice to show how efficacy and adverse effects change as the dose increases. In clinical contexts, knowing that privacy is “preserved” is not enough – instead, how much privacy was achieved and what was sacrificed to obtain it is essential for navigating the tradeoffs between privacy and utility. As ε is a continuous parameter, reporting model performance across several pre-defined ε levels (e.g. high, medium, low) to allow transparent characterization of this trade-off may support threshold-based decisions by developers and data governance committees, without substantially increasing analytical complexity.

Reporting of other key parameters such as delta (δ, the probability of privacy leakage) and key details for differential privacy implementation to support reproducibility was also poor.

Equity as an essential (but often missing) design principle in differential privacy

Mohammadi et al. also highlight the importance of examining how differential privacy behaves across sociodemographic subgroups. Limited data suggest that models trained on imbalanced datasets already tend to perform worse on underrepresented subgroups, and injecting noise from differential privacy without fairness constraints into these imbalanced datasets can amplify these disparities, likely because noise interferes more with learning patterns in smaller groups¹². This creates an ethical dilemma wherein the very mechanisms designed to protect patient privacy could inadvertently worsen existing inequities.

Only 5/74 studies audited the fairness of their differential privacy techniques, and typically focused on performance across single attributes (e.g. age, sex, ethnicity) without examining intersectionality, which may be overly reductionist as intersecting identities (e.g. age and sex, or age and ethnicity) may create compounding biases that cannot be predicted from the effect of each identity in isolation^13,14. These issues may relate to poor recording of sociodemographic attributes across multiple datasets^15,16, data imbalance due to underserved groups having limited access to healthcare services¹⁷, or health data poverty in settings with limited resources for data curation¹⁸. As such, incorporating inclusive standards from initiatives such as the STANDING Together (Standards for Data Diversity, Inclusivity, and Generalizability) consensus recommendations¹⁹ into the evaluation of privacy-preserving techniques may help ensure that efforts to protect individual data do not further obscure or amplify existing inequities.

Even though techniques that integrate fairness constraints or subgroup-aware optimization into differential privacy training can mitigate disproportionate harms¹², they do not remove the need for explicit value judgments about acceptable privacy-utility trade-offs. This highlights the role of co-designing privacy and fairness objectives with relevant stakeholders beyond developers (e.g. clinical experts, governance leads, patient and public representatives) rather than treating this as an afterthought to system design and evaluation²⁰^,²¹. This broader involvement may help ensure that privacy protections are implemented in ways that protect individuals in theory without worsening inequities in practice.

Real-world implications and future directions

Privacy engineering cannot remain an abstract academic exercise, and should also be firmly anchored in governance and regulatory frameworks, although these vary across jurisdictions. Privacy laws such as Europe’s General Data Protection Regulation (GDPR) already embed principles that align with formal privacy-preserving methods, such as data minimization, integrity and confidentiality, and accountability for privacy risks²². The UK Information Commissioner’s Office has also explicitly recognized differential privacy (alongside other privacy-enhancing techniques) as part of responsible AI design²³. While there is no clear regulatory mandate for choice of thresholds (e.g. ε) for privacy-preserving AI in healthcare, developers must typically provide a risk-based justification for their design choices comparable to current “state-of-the-art”. Defining clinically meaningful thresholds for acceptable performance degradation under privacy constraints and developing practical tools for auditing privacy leakage and the impact on performance in key subgroups should be considered as priorities for the field, and reflect emerging best practice that regulators are increasingly likely to scrutinize, even where it is not yet formally codified as a requirement.

Finally, differential privacy is one part of a broader ecosystem of privacy-enhancing technologies. Federated learning offers a way to train models without pooling data centrally, but does not eliminate the risk of information leakage from models²⁴, which suggests a role for combining federated architectures with differential privacy as a complementary safeguard²⁵. In parallel, synthetic data generation under formal privacy constraints is gaining traction as a method of enabling data sharing for model development and benchmarking while preserving privacy. However, ensuring that synthetic datasets preserve clinically meaningful structure (especially for longitudinal and high-dimensional data) without encoding or amplifying biases remains an open challenge²⁶.

Conclusion

Mohammadi et al. highlight that privacy should not be an afterthought but should be considered early in the AI lifecycle, as it involves explicit design choices that directly shape performance, fairness, and user trust. Privacy should not be treated as a binary feature but as a design parameter requiring explicit evaluation. Developers should consider more systematic exploration of privacy-utility curves across diverse tasks, report performance across predefined privacy budgets, and characterize subgroup and intersectional performance under differential privacy. Data governance committees and procurement bodies can then assess whether the selected privacy budget is proportionate to the sensitivity of the data, and whether clinically acceptable performance is maintained. This shifts differential privacy from a technical abstraction to a practical governance tool, aligning privacy, performance, and equity as equal considerations in responsible clinical AI.

Author contributions

AYO wrote the original draft of the manuscript. All authors (AYO, KLR, MS, JCK) reviewed and critically revised subsequent drafts, and have read and approved the submitted manuscript.

Data Availability

No datasets were generated or analysed during the current study.

Competing interests

JCK is the editor-in-chief of npj Digital Medicine and had no role in the peer review or decision to publish this manuscript. The remaining authors do not have any conflicts of interest to declare.

References

1.Yang, W. et al. Deep learning model inversion attacks and defenses: a comprehensive survey. Artif Intell Rev58, 242 (2025). [Google Scholar]
2.Pyrrho, M., Cambraia, L. & de Vasconcelos, V. F. Privacy and Health Practices in the Digital Age. Am. J. Bioeth.22, 50–59 (2022). [DOI] [PubMed] [Google Scholar]
3.Muller, S. H. A., Kalkman, S., van Thiel, G. J. M. W., Mostert, M. & van Delden, J. J. M. The social licence for data-intensive health research: towards co-creation, public value and trust. BMC Med Ethics22, 110 (2021). [DOI] [PMC free article] [PubMed] [Google Scholar]
4.Murdoch, B. Privacy and artificial intelligence: challenges for protecting health information in a new era. BMC Med Ethics22, 122 (2021). [DOI] [PMC free article] [PubMed] [Google Scholar]
5.Kuo, R. et al. Public perceptions of health data sharing for artificial intelligence research: a qualitative focus group study in the UK. J Digit Health2, e000239 (2026). [Google Scholar]
6.Hintersdorf, D., Struppek, L. & Kersting, K. Balancing Transparency and Risk: An Overview of the Security and Privacy Risks of Open-Source Machine Learning Models. In Bridging the Gap Between AI and Reality. AISoLA 2023. Lecture Notes in Computer Science (ed. Steffen, B.) Vol. 14129 (Springer, Cham. 2025).
7.Wei, J. et al. Memorization in Deep Learning: A Survey. ACM Comput. Surv.58, 98:1–98:35 (2025). [Google Scholar]
8.Ziller, A. et al. Reconciling privacy and accuracy in AI for medical imaging. Nat Mach Intell6, 764–774 (2024). [Google Scholar]
9.Dwork, C. & Roth, A. The Algorithmic Foundations of Differential Privacy. Foundations and Trends® in Theoretical Computer Science9, 211–487 (2014). [Google Scholar]
10.Mohammadi, M. et al. Differential privacy for medical deep learning: methods, tradeoffs, and deployment implications. npj Digit. Med.9, 93 (2026). [DOI] [PMC free article] [PubMed] [Google Scholar]
11.Mohammadi, M. et al. Differential Privacy for Deep Learning in Medicine. Preprint at 10.48550/arXiv.2506.00660 (2025).
12.Fioretto, F., Tran, C. & Hentenryck, P. V. Decision Making with Differential Privacy under a Fairness Lens. Preprint at 10.48550/arXiv.2105.07513 (2024).
13.Bowleg, L. The problem with the phrase women and minorities: intersectionality-an important theoretical framework for public health. Am J Public Health102, 1267–1273 (2012). [DOI] [PMC free article] [PubMed] [Google Scholar]
14.Ulnicane, I. Intersectionality in Artificial Intelligence: Framing Concerns and Recommendations for Action. SI12, 7543 (2024). [Google Scholar]
15.Wu, J. et al. Clinical Text Datasets for Medical Artificial Intelligence and Large Language Models — A Systematic Review. NEJM AI1, AIra2400012 (2024). [Google Scholar]
16.Ong, A. Y. et al. A scoping review of artificial intelligence as a medical device for ophthalmic image analysis in Europe, Australia and America. npj Digit. Med.8, 1–13 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]
17.Celi, L. A. et al. Sources of bias in artificial intelligence that perpetuate healthcare disparities—A global review. PLOS Digital Health1, e0000022 (2022). [DOI] [PMC free article] [PubMed] [Google Scholar]
18.Ibrahim, H., Liu, X., Zariffa, N., Morris, A. D. & Denniston, A. K. Health data poverty: an assailable barrier to equitable digital health care. The Lancet Digital Health3, e260–e265 (2021). [DOI] [PubMed] [Google Scholar]
19.Alderman, J. E. et al. Tackling algorithmic bias and promoting transparency in health datasets: the STANDING Together consensus recommendations. The Lancet Digital Health7, e64–e88 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]
20.Sacre, A. & Godfrey, A. Co-designing the future: End-user involvement in digital interventions. npj Digit. Med.9, 160 (2026). [DOI] [PMC free article] [PubMed] [Google Scholar]
21.Kilfoy, A. et al. An umbrella review on how digital health intervention co-design is conducted and described. NPJ Digit. Med.7, 374 (2024). [DOI] [PMC free article] [PubMed] [Google Scholar]
22.Wolford, B. What is GDPR, the EU’s new data protection law? GDPR.euhttps://gdpr.eu/what-is-gdpr/ (2018).
23.How should we assess security and data minimisation in AI? https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/how-should-we-assess-security-and-data-minimisation-in-ai/ (2025).
24.Sharma, S. & Guleria, K. A comprehensive review on federated learning based models for healthcare applications. Artificial Intelligence in Medicine146, 102691 (2023). [DOI] [PubMed] [Google Scholar]
25.McMahan, H. B., Ramage, D., Talwar, K. & Zhang, L. Learning differentially private reurrent language models, (2018).
26.Liu, Y., Acharya, U. R. & Tan, J. H. Preserving privacy in healthcare: A systematic review of deep learning approaches for synthetic data generation. Computer Methods and Programs in Biomedicine.260, 108571 (2025). [DOI] [PubMed] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Data Availability Statement

No datasets were generated or analysed during the current study.

[CR1] 1.Yang, W. et al. Deep learning model inversion attacks and defenses: a comprehensive survey. Artif Intell Rev58, 242 (2025). [Google Scholar]

[CR2] 2.Pyrrho, M., Cambraia, L. & de Vasconcelos, V. F. Privacy and Health Practices in the Digital Age. Am. J. Bioeth.22, 50–59 (2022). [DOI] [PubMed] [Google Scholar]

[CR3] 3.Muller, S. H. A., Kalkman, S., van Thiel, G. J. M. W., Mostert, M. & van Delden, J. J. M. The social licence for data-intensive health research: towards co-creation, public value and trust. BMC Med Ethics22, 110 (2021). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR4] 4.Murdoch, B. Privacy and artificial intelligence: challenges for protecting health information in a new era. BMC Med Ethics22, 122 (2021). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR5] 5.Kuo, R. et al. Public perceptions of health data sharing for artificial intelligence research: a qualitative focus group study in the UK. J Digit Health2, e000239 (2026). [Google Scholar]

[CR6] 6.Hintersdorf, D., Struppek, L. & Kersting, K. Balancing Transparency and Risk: An Overview of the Security and Privacy Risks of Open-Source Machine Learning Models. In Bridging the Gap Between AI and Reality. AISoLA 2023. Lecture Notes in Computer Science (ed. Steffen, B.) Vol. 14129 (Springer, Cham. 2025).

[CR7] 7.Wei, J. et al. Memorization in Deep Learning: A Survey. ACM Comput. Surv.58, 98:1–98:35 (2025). [Google Scholar]

[CR8] 8.Ziller, A. et al. Reconciling privacy and accuracy in AI for medical imaging. Nat Mach Intell6, 764–774 (2024). [Google Scholar]

[CR9] 9.Dwork, C. & Roth, A. The Algorithmic Foundations of Differential Privacy. Foundations and Trends® in Theoretical Computer Science9, 211–487 (2014). [Google Scholar]

[CR10] 10.Mohammadi, M. et al. Differential privacy for medical deep learning: methods, tradeoffs, and deployment implications. npj Digit. Med.9, 93 (2026). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR11] 11.Mohammadi, M. et al. Differential Privacy for Deep Learning in Medicine. Preprint at 10.48550/arXiv.2506.00660 (2025).

[CR12] 12.Fioretto, F., Tran, C. & Hentenryck, P. V. Decision Making with Differential Privacy under a Fairness Lens. Preprint at 10.48550/arXiv.2105.07513 (2024).

[CR13] 13.Bowleg, L. The problem with the phrase women and minorities: intersectionality-an important theoretical framework for public health. Am J Public Health102, 1267–1273 (2012). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR14] 14.Ulnicane, I. Intersectionality in Artificial Intelligence: Framing Concerns and Recommendations for Action. SI12, 7543 (2024). [Google Scholar]

[CR15] 15.Wu, J. et al. Clinical Text Datasets for Medical Artificial Intelligence and Large Language Models — A Systematic Review. NEJM AI1, AIra2400012 (2024). [Google Scholar]

[CR16] 16.Ong, A. Y. et al. A scoping review of artificial intelligence as a medical device for ophthalmic image analysis in Europe, Australia and America. npj Digit. Med.8, 1–13 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR17] 17.Celi, L. A. et al. Sources of bias in artificial intelligence that perpetuate healthcare disparities—A global review. PLOS Digital Health1, e0000022 (2022). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR18] 18.Ibrahim, H., Liu, X., Zariffa, N., Morris, A. D. & Denniston, A. K. Health data poverty: an assailable barrier to equitable digital health care. The Lancet Digital Health3, e260–e265 (2021). [DOI] [PubMed] [Google Scholar]

[CR19] 19.Alderman, J. E. et al. Tackling algorithmic bias and promoting transparency in health datasets: the STANDING Together consensus recommendations. The Lancet Digital Health7, e64–e88 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR20] 20.Sacre, A. & Godfrey, A. Co-designing the future: End-user involvement in digital interventions. npj Digit. Med.9, 160 (2026). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR21] 21.Kilfoy, A. et al. An umbrella review on how digital health intervention co-design is conducted and described. NPJ Digit. Med.7, 374 (2024). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR22] 22.Wolford, B. What is GDPR, the EU’s new data protection law? GDPR.euhttps://gdpr.eu/what-is-gdpr/ (2018).

[CR23] 23.How should we assess security and data minimisation in AI? https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/how-should-we-assess-security-and-data-minimisation-in-ai/ (2025).

[CR24] 24.Sharma, S. & Guleria, K. A comprehensive review on federated learning based models for healthcare applications. Artificial Intelligence in Medicine146, 102691 (2023). [DOI] [PubMed] [Google Scholar]

[CR25] 25.McMahan, H. B., Ramage, D., Talwar, K. & Zhang, L. Learning differentially private reurrent language models, (2018).

[CR26] 26.Liu, Y., Acharya, U. R. & Tan, J. H. Preserving privacy in healthcare: A systematic review of deep learning approaches for synthetic data generation. Computer Methods and Programs in Biomedicine.260, 108571 (2025). [DOI] [PubMed] [Google Scholar]

PERMALINK

“Doing no harm” in the digital age: navigating tradeoffs and operational considerations for privacy-preserving deep learning in medicine

Ariel Yuhan Ong

Kyra L Rosen

Margaret Sui

Joseph C Kvedar

Abstract

Introduction

What is differential privacy?

The privacy-utility tradeoff reporting gap

Equity as an essential (but often missing) design principle in differential privacy

Real-world implications and future directions

Conclusion

Author contributions

Data Availability

Competing interests

References

Associated Data

Data Availability Statement

ACTIONS

PERMALINK

RESOURCES

Cite

Add to Collections

PERMALINK

“Doing no harm” in the digital age: navigating tradeoffs and operational considerations for privacy-preserving deep learning in medicine

Ariel Yuhan Ong

Kyra L Rosen

Margaret Sui

Joseph C Kvedar

Abstract

Introduction

What is differential privacy?

The privacy-utility tradeoff reporting gap

Equity as an essential (but often missing) design principle in differential privacy

Real-world implications and future directions

Conclusion

Author contributions

Data Availability

Competing interests

References

Associated Data

Data Availability Statement

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases