Open Data in the Era of the GDPR: Lessons from the Human Cell Atlas.

The Human Cell Atlas (HCA) is striving to build an open community that is inclusive of all researchers adhering to its principles and as open as possible with respect to data access and use. However, open data sharing can pose certain challenges. For instance, being a global initiative, the HCA must contend with a patchwork of local and regional privacy rules. A notable example is the implementation of the European Union General Data Protection Regulation (GDPR), which caused some concern in the biomedical and genomic data-sharing community. We examine how the HCA's large, international group of researchers is investing tremendous efforts into ensuring appropriate sharing of data. We describe the HCA's objectives and governance, how it defines open data sharing, and ethico-legal challenges encountered early in its development; in particular, we describe the challenges prompted by the GDPR. Finally, we broaden the discussion to address tools and strategies that can be used to address ethical data governance.

Novel and Proven Models of Public, Private, and Public-Private Partnerships in Healthcare: An Update.

Initiatives to share assets in the life science sector through dedicated partnerships had and still have a multitude of different aspects in the past few decades. The range goes from industry partners, small and big companies, in bilateral agreements with academic institutions up to large privately and publicly funded consortia. In general, the term public-private partnership (PPP) is used when at least one public (non-profit, academic, and/or government) part and one or more private for-profit partners are involved. A Public-Private Partnership is often driven by a public body, i.e. a ministry or a public agency. Their synergism has been described 10 years ago (Dearing, Science 315(19):344-347, 2007; Casty and Wieman, Ther Innov Regul Sci 47(3):375-383, 2013; Stevens et al., Biotechnol Law Rep 34(4):153-165, 2015). So why view this synergism again today? It will be shown that the situation in life science has changed: novel partners acting digital, data expertise being involved on many levels and novel partnering models arising. Success and challenges will be described in this chapter.

[Legal aspects in digital cardiology]. / Rechtliche Aspekte in der digitalen Kardiologie.

Digital assistants have become an indispensable tool in modern cardiology. The associated technological progress offers a significant potential to increase the efficiency of medical processes, enable more precise diagnoses in a shorter time, and thus improve patient care. However, the integration of digital assistants into clinical cardiology also raises new challenges and questions, particularly regarding the handling of legal issues. This review article aims to raise awareness of individual legal issues resulting from the use of digital technologies in cardiology. The focus is on how to deal with various legal challenges that cardiologists face, including issues related to treatment freedom, professional confidentiality and data protection. The integration of digital assistants in cardiology leads to a noticeable improvement in efficiency and quality of patient care, but at the same time, it involves a variety of legal challenges that need to be carefully addressed.

Acceptance of Social Media Recruitment for Clinical Studies Among Patients With Hepatitis B: Mixed Methods Study.

BACKGROUND: Social media platforms are increasingly used to recruit patients for clinical studies. Yet, patients' attitudes regarding social media recruitment are underexplored. OBJECTIVE: This mixed methods study aims to assess predictors of the acceptance of social media recruitment among patients with hepatitis B, a patient population that is considered particularly vulnerable in this context. METHODS: Using a mixed methods approach, the hypotheses for our survey were developed based on a qualitative interview study with 6 patients with hepatitis B and 30 multidisciplinary experts. Thematic analysis was applied to qualitative interview analysis. For the cross-sectional survey, we additionally recruited 195 patients with hepatitis B from 3 clinical centers in Germany. Adult patients capable of judgment with a hepatitis B diagnosis who understood German and visited 1 of the 3 study centers during the data collection period were eligible to participate. Data analysis was conducted using SPSS (version 28; IBM Corp), including descriptive statistics and regression analysis. RESULTS: On the basis of the qualitative interview analysis, we hypothesized that 6 factors were associated with acceptance of social media recruitment: using social media in the context of hepatitis B (hypothesis 1), digital literacy (hypothesis 2), interest in clinical studies (hypothesis 3), trust in nonmedical (hypothesis 4a) and medical (hypothesis 4b) information sources, perceiving the hepatitis B diagnosis as a secret (hypothesis 5a), attitudes toward data privacy in the social media context (hypothesis 5b), and perceived stigma (hypothesis 6). Regression analysis revealed that the higher the social media use for hepatitis B (hypothesis 1), the higher the interest in clinical studies (hypothesis 3), the more trust in nonmedical information sources (hypothesis 4a), and the less secrecy around a hepatitis B diagnosis (hypothesis 5a), the higher the acceptance of social media as a recruitment tool for clinical hepatitis B studies. CONCLUSIONS: This mixed methods study provides the first quantitative insights into social media acceptance for clinical study recruitment among patients with hepatitis B. The study was limited to patients with hepatitis B in Germany but sets out to be a reference point for future studies assessing the attitudes toward and acceptance of social media recruitment for clinical studies. Such empirical inquiries can facilitate the work of researchers designing clinical studies as well as ethics review boards in balancing the risks and benefits of social media recruitment in a context-specific manner.

Ethical Considerations and Fundamental Principles of Large Language Models in Medical Education: Viewpoint.

This viewpoint article first explores the ethical challenges associated with the future application of large language models (LLMs) in the context of medical education. These challenges include not only ethical concerns related to the development of LLMs, such as artificial intelligence (AI) hallucinations, information bias, privacy and data risks, and deficiencies in terms of transparency and interpretability but also issues concerning the application of LLMs, including deficiencies in emotional intelligence, educational inequities, problems with academic integrity, and questions of responsibility and copyright ownership. This paper then analyzes existing AI-related legal and ethical frameworks and highlights their limitations with regard to the application of LLMs in the context of medical education. To ensure that LLMs are integrated in a responsible and safe manner, the authors recommend the development of a unified ethical framework that is specifically tailored for LLMs in this field. This framework should be based on 8 fundamental principles: quality control and supervision mechanisms; privacy and data protection; transparency and interpretability; fairness and equal treatment; academic integrity and moral norms; accountability and traceability; protection and respect for intellectual property; and the promotion of educational research and innovation. The authors further discuss specific measures that can be taken to implement these principles, thereby laying a solid foundation for the development of a comprehensive and actionable ethical framework. Such a unified ethical framework based on these 8 fundamental principles can provide clear guidance and support for the application of LLMs in the context of medical education. This approach can help establish a balance between technological advancement and ethical safeguards, thereby ensuring that medical education can progress without compromising the principles of fairness, justice, or patient safety and establishing a more equitable, safer, and more efficient environment for medical education.

The potential of federated learning for public health purposes: a qualitative analysis of GDPR compliance, Europe, 2021.

BackgroundThe wide application of machine learning (ML) holds great potential to improve public health by supporting data analysis informing policy and practice. Its application, however, is often hampered by data fragmentation across organisations and strict regulation by the General Data Protection Regulation (GDPR). Federated learning (FL), as a decentralised approach to ML, has received considerable interest as a means to overcome the fragmentation of data, but it is yet unclear to which extent this approach complies with the GDPR.AimOur aim was to understand the potential data protection implications of the use of federated learning for public health purposes.MethodsBuilding upon semi-structured interviews (n = 14) and a panel discussion (n = 5) with key opinion leaders in Europe, including both FL and GDPR experts, we explored how GDPR principles would apply to the implementation of FL within public health.ResultsWhereas this study found that FL offers substantial benefits such as data minimisation, storage limitation and effective mitigation of many of the privacy risks of sharing personal data, it also identified various challenges. These challenges mostly relate to the increased difficulty of checking data at the source and the limited understanding of potential adverse outcomes of the technology.ConclusionSince FL is still in its early phase and under rapid development, it is expected that knowledge on its impracticalities will increase rapidly, potentially addressing remaining challenges. In the meantime, this study reflects on the potential of FL to align with data protection objectives and offers guidance on GDPR compliance.

[Short paths to diagnosis with artificial intelligence: systematic literature review on diagnostic decision support systems]. / Kurze Wege zur Diagnose mit künstlicher Intelligenz ­ systematische Literaturrecherche zu "diagnostic decision support systems".

BACKGROUND: Rare diseases are often recognized late. Their diagnosis is particularly challenging due to the diversity, complexity and heterogeneity of clinical symptoms. Computer-aided diagnostic aids, often referred to as diagnostic decision support systems (DDSS), are promising tools for shortening the time to diagnosis. Despite initial positive evaluations, DDSS are not yet widely used, partly due to a lack of integration with existing clinical or practice information systems. OBJECTIVE: This article provides an insight into currently existing diagnostic support systems that function without access to electronic patient records and only require information that is easily obtainable. MATERIALS AND METHODS: A systematic literature search identified eight articles on DDSS that can assist in the diagnosis of rare diseases with no need for access to electronic patient records or other information systems in practices and hospitals. The main advantages and disadvantages of the identified rare disease diagnostic support systems were extracted and summarized. RESULTS: Symptom checkers and DDSS based on portrait photos and pain drawings already exist. The degree of maturity of these applications varies. CONCLUSION: DDSS currently still face a number of challenges, such as concerns about data protection and accuracy, and acceptance and awareness continue to be rather low. On the other hand, there is great potential for faster diagnosis, especially for rare diseases, which are easily overlooked due to their large number and the low awareness of them. The use of DDSS should therefore be carefully considered by doctors on a case-by-case basis.

[Chat messenger use in the care of patients with Parkinson's disease]. / Chat-Messenger-Nutzung in der Parkinson-Versorgung.

BACKGROUND: The demand for chat messaging apps for communication between physicians, therapists and patients is increasing. The expectations for this form of communication and uncertainties regarding introduction and use are heterogeneous. OBJECTIVE: The implementation of chat messengers in the care of patients with Parkinson's disease should be facilitated by recommendations regarding introduction and usage. METHODS: Semi-structured interviews with neurologists and physiotherapists were conducted to capture the expectations and needs regarding the use of chat messengers. From the data analysis, recommendations were derived. RESULTS: The expectations for technical functionality exceeded the chat messenger functions. This concerns, e.g., the connection of the chat messenger to the electronic patient file. There is a great deal of uncertainty, particularly when it comes to the applicable General Data Protection Regulations (GDPR). The recommendations relating to the use of chat messengers, data protection aspects, the design of such tools and methodological considerations can help to implement the tool as an additional communication channel. CONCLUSION: Practical recommendations regarding functionality, the use of chat messengers in everyday life and in relation to data protection are derived from the results. By improving knowledge, physicians and therapists can contribute to the successful establishment of chat messengers as an additional communication tool.

[Open educational resources for otorhinolaryngology : A pilot study on needs assessment and implementation]. / Open Educational Resources für die HNO-Heilkunde : Ein Pilotprojekt zur Bedarfsanalyse und Implementierung.

BACKGROUND: Open educational resources (OER) are educational materials licensed openly by authors, permitting usage, redistribution, and in some instances, modification. OER platforms thereby serve as a medium for distributing and advancing teaching materials and innovative educational methodologies. OBJECTIVE: This study aims to determine the present state of OER in otorhinolaryngology and to examine the prerequisites for seamlessly integrating OER into the curricular teaching of medical schools, specifically through the design of two OER blended learning modules. METHODS: OER content in the field of otorhinolaryngology was analyzed on OER platforms, ensuring its relevance to the German medical curriculum. Data protection concerns were addressed with legal counsel. The blended learning modules were developed in collaboration with medical students and subsequently published as OER. RESULTS AND CONCLUSION: This project yielded the first OER from a German ENT department, tailored to the German medical curriculum. One significant barrier to OER use in medicine, more than in other fields, is data protection. This challenge can be navigated by obtaining consent to publish patient data as OER. OER hold the promise to play a pivotal role in fostering cooperation and collaboration among educators, aiding educators in lesson preparation, and simultaneously enhancing didactic quality.

[Artificial intelligence and secure use of health data in the KI-FDZ project: anonymization, synthetization, and secure processing of real-world data]. / Künstliche Intelligenz und sichere Gesundheitsdatennutzung im Projekt KI-FDZ: Anonymisierung, Synthetisierung und sichere Verarbeitung für Real-World-Daten.

The increasing digitization of the healthcare system is leading to a growing volume of health data. Leveraging this data beyond its initial collection purpose for secondary use can provide valuable insights into diagnostics, treatment processes, and the quality of care. The Health Data Lab (HDL) will provide infrastructure for this purpose. Both the protection of patient privacy and optimal analytical capabilities are of central importance in this context, and artificial intelligence (AI) provides two opportunities. First, it enables the analysis of large volumes of data with flexible models, which means that hidden correlations and patterns can be discovered. Second, synthetic - that is, artificial - data generated by AI can protect privacy.This paper describes the KI-FDZ project, which aims to investigate innovative technologies that can support the secure provision of health data for secondary research purposes. A multi-layered approach is investigated in which data-level measures can be combined in different ways with processing in secure environments. To this end, anonymization and synthetization methods, among others, are evaluated based on two concrete application examples. Moreover, it is examined how the creation of machine learning pipelines and the execution of AI algorithms can be supported in secure processing environments. Preliminary results indicate that this approach can achieve a high level of protection while maintaining data validity. The approach investigated in the project can be an important building block in the secure secondary use of health data.

[Establishment of the new "Health Data Lab" to provide data for science]. / Aufbau des neuen "Forschungsdatenzentrums Gesundheit" zur Datenbereitstellung für die Wissenschaft.

The analysis of real-world data (RWD) has become increasingly important in health research in recent years. With the BfArM Health Data Lab (HDL), which is currently being set up, researchers will in future be able to gain access to routine data from the statutory health insurance of around 74 million people in Germany. Data from electronic patient records can also be made available for research prospectively. In doing so, the Health Data Lab guarantees the highest data protection and IT security standards. The digital application process, the provision of data in secure processing environments as well as the features supporting the analyses such as catalogues of coding systems, a point-and-click analysis tool and predefined standard analyses increase user-friendliness for researchers. The use of the extensive health data accessible at HDL will open a wide range of future possibilities for improving the health system and the quality of care. This article begins by highlighting the advantages of the HDL and outlining the opportunities that the RWD offers for research in healthcare and for the population. The structure and central aspects of the HDL are explained afterwards. An outlook on the opportunities of linking different data is given. What the application and data usage processes at the HDL will look like is illustrated using the example of fictitious possibilities for analysing long COVID based on the routine data available at the HDL in the future.

["Dark patterns": manipulative design strategies in digital health applications]. / Dark Patterns: manipulative Designstrategien in digitalen Gesundheitsanwendungen.

Among other things, digital health applications offer users support in better understanding their physical and mental health through digital data, thereby promoting positive health behavior. In addition to state-approved digital health applications (DiGA) and digital care applications (DiPA), there is a wide array of other commercial health applications available to users. Particularly in non-approved applications, developers often deploy manipulative design strategies (dark patterns), intentionally or unintentionally, to deceive users into making specific decisions. This article provides an overview of current and widespread dark patterns and assesses the risks posed by them in digital health applications.In the future, "light" should be shed on dark patterns by creating more transparency for users, providing regulators with a more accurate understanding of dark patterns, and paying more attention to the implementation of guidelines. Thus, users may gain autonomy using healthcare applications and their data can be better protected.

[Nationally standardized broad consent in practice: initial experiences, current developments, and critical assessment]. / National standardisierter Broad Consent in der Praxis: erste Erfahrungen, aktuelle Entwicklungen und kritische Betrachtungen.

BACKGROUND: The digitalization in the healthcare sector promises a secondary use of patient data in the sense of a learning healthcare system. For this, the Medical Informatics Initiative's (MII) Consent Working Group has created an ethical and legal basis with standardized consent documents. This paper describes the systematically monitored introduction of these documents at the MII sites. METHODS: The monitoring of the introduction included regular online surveys, an in-depth analysis of the introduction processes at selected sites, and an assessment of the documents in use. In addition, inquiries and feedback from a large number of stakeholders were evaluated. RESULTS: The online surveys showed that 27 of the 32 sites have gradually introduced the consent documents productively, with a current total of 173,289 consents. The analysis of the implementation procedures revealed heterogeneous organizational conditions at the sites. The requirements of various stakeholders were met by developing and providing supplementary versions of the consent documents and additional information materials. DISCUSSION: The introduction of the MII consent documents at the university hospitals creates a uniform legal basis for the secondary use of patient data. However, the comprehensive implementation within the sites remains challenging. Therefore, minimum requirements for patient information and supplementary recommendations for best practice must be developed. The further development of the national legal framework for research will not render the participation and transparency mechanisms developed here obsolete.

Harmonization after the GDPR? Divergences in the rules for genetic and health data sharing in four member states and ways to overcome them by EU measures: Insights from Germany, Greece, Latvia and Sweden.

The EU member states' healthcare and health-related research sectors are both characterized by an emerging infrastructural coalescence on a national and European level. The culmination of this coalescence is the planned creation of a European Health Data Space, an EU-wide infrastructure for the processing of personal data for healthcare and for secondary uses such as scientific research. In contrast to growing technical interoperability, the legal framework for such integration is not yet defined in detail, particularly with regard to data protection law. Its development is accompanied by discussions about divergent member state implementations of the EU General Data Protection Regulation (GDPR) that affect data sharing between healthcare and scientific research actors and across various sectors driven by divergent processing purposes. The article presents four member states' main rules on data sharing based on the respective provision of the GDPR in six health-related contexts regarding data sharing across the healthcare and research sector and between the main actors of those sectors. The striking differences are then evaluated from the perspective of their factual effect on European data sharing depending on the legal characteristics of the GDPR provisions they rely on. Against this backdrop, the planned regulatory measures for the setup of the European Health Data Space are introduced and evaluated with regard to further harmonization between member states' laws and possibilities to overcome divergences in data protection rules relevant for European data sharing. The results of the analysis point to the conclusion that the destructive effect of divergent member state rules depends on the legal qualification of the EU provisions they rely on and that this qualification also determines which further EU regulatory measure would be the most effective to set the framework for the European Health Data Space.

Reimagining Patient Data Access for Researchers.

OBJECTIVES: Widespread use of electronic health records (EHRs) now makes it feasible to expand beyond health insurance claims data to include full EHR data for health economics and outcomes research (HEOR) studies. We seek to develop ways to maximize researcher access to such data while strongly protecting patients' privacy rights. METHODS: We analyzed alternative organizational structures and intellectual property rights assignments as they now exist and compared these with structures and intellectual property rights assignments that would maximize access to data for HEOR studies and minimize transactions costs. We analyzed data protection requirements and financial incentives at 3 levels: patient decision making, patients' data aggregators, and final aggregation across patients' data. RESULTS: Creating new HEOR data systems requires new organizations and funding, while also protecting patients' data privacy rights. The Cures Act enables a new market for trusted third parties (TTPs) to aggregate patients' data. New secondary data aggregators must combine individuals' aggregated EHRs into usable HEOR databases. Maximal patient participation requires complete health insurance coverage of costs that healthcare providers charge for transmitting patients' data to TTPs. The new secondary system to aggregate data from many TTPs into usable HEOR optimally has external funding. CONCLUSIONS: Important steps remain uncompleted to achieve maximally available HEOR data while protecting patients' privacy rights. HEOR information is a public good, so private incentives to support creation and operation of this new system remain incomplete. Public and private support can expand this system to optimally improve people's health.

ISO 15189 is a sufficient instrument to guarantee high-quality manufacture of laboratory developed tests for in-house-use conform requirements of the European In-Vitro-Diagnostics Regulation.

The EU In-Vitro Diagnostic Device Regulation (IVDR) aims for transparent risk-and purpose-based validation of diagnostic devices, traceability of results to uniquely identified devices, and post-market surveillance. The IVDR regulates design, manufacture and putting into use of devices, but not medical services using these devices. In the absence of suitable commercial devices, the laboratory can resort to laboratory-developed tests (LDT) for in-house use. Documentary obligations (IVDR Art 5.5), the performance and safety specifications of ANNEX I, and development and manufacture under an ISO 15189-equivalent quality system apply. LDTs serve specific clinical needs, often for low volume niche applications, or correspond to the translational phase of new tests and treatments, often extremely relevant for patient care. As some commercial tests may disappear with the IVDR roll-out, many will require urgent LDT replacement. The workload will also depend on which modifications to commercial tests turns them into an LDT, and on how national legislators and competent authorities (CA) will handle new competences and responsibilities. We discuss appropriate interpretation of ISO 15189 to cover IVDR requirements. Selected cases illustrate LDT implementation covering medical needs with commensurate management of risk emanating from intended use and/or design of devices. Unintended collateral damage of the IVDR comprises loss of non-profitable niche applications, increases of costs and wasted resources, and migration of innovative research to more cost-efficient environments. Taking into account local specifics, the legislative framework should reduce the burden on and associated opportunity costs for the health care system, by making diligent use of existing frameworks.

Data management and protection in occupational and environmental exposome research - A case study from the EU-funded EXIMIOUS project.

Within collaborative projects, such as the EU-funded Horizon 2020 EXIMIOUS project (Mapping Exposure-Induced Immune Effects: Connecting the Exposome and the Immunome), collection and analysis of large volumes of data pose challenges in the domain of data management, with regards to both ethical and legal aspects. However, researchers often lack the right tools and/or accurate understanding of the ethical/legal framework to independently address such challenges. With the guidance and support within and between the partner institutes (the researchers and the ethical and legal teams) in the EXIMIOUS project, we have been able to understand and solve most challenges during the first two project years. This has fed into the development of a Data Management Plan and the establishment of data management platforms in accordance with the ethical and legal framework laid down by the EU and the different national regulations of the partners involved. Through this elaborate exercise, we have acquired tools which allow us to make our research data FAIR (Findable, Accessible, Interoperable, and Reusable), while at the same time ensuring data privacy and security (GDPR compliant). Herein we share our experience of creating and managing the data workflow through an open research communication, with the aim of helping other researchers build their data management framework in their own projects. Based on the measures adopted in EXIMIOUS to ensure FAIR data management, we also put together a checklist "DMP CHECK" containing a series of recommendations based on our experience.

mHealth Systems Need a Privacy-by-Design Approach: Commentary on "Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review".

Brauneck and colleagues have combined technical and legal perspectives in their timely and valuable paper "Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review." Researchers who design mobile health (mHealth) systems must adopt the same privacy-by-design approach that privacy regulations (eg, General Data Protection Regulation) do. In order to do this successfully, we will have to overcome implementation challenges in privacy-enhancing technologies such as differential privacy. We will also have to pay close attention to emerging technologies such as private synthetic data generation.

Federated Machine Learning, Privacy-Enhancing Technologies, and Data Protection Laws in Medical Research: Scoping Review.

BACKGROUND: The collection, storage, and analysis of large data sets are relevant in many sectors. Especially in the medical field, the processing of patient data promises great progress in personalized health care. However, it is strictly regulated, such as by the General Data Protection Regulation (GDPR). These regulations mandate strict data security and data protection and, thus, create major challenges for collecting and using large data sets. Technologies such as federated learning (FL), especially paired with differential privacy (DP) and secure multiparty computation (SMPC), aim to solve these challenges. OBJECTIVE: This scoping review aimed to summarize the current discussion on the legal questions and concerns related to FL systems in medical research. We were particularly interested in whether and to what extent FL applications and training processes are compliant with the GDPR data protection law and whether the use of the aforementioned privacy-enhancing technologies (DP and SMPC) affects this legal compliance. We placed special emphasis on the consequences for medical research and development. METHODS: We performed a scoping review according to the PRISMA-ScR (Preferred Reporting Items for Systematic Reviews and Meta-Analyses extension for Scoping Reviews). We reviewed articles on Beck-Online, SSRN, ScienceDirect, arXiv, and Google Scholar published in German or English between 2016 and 2022. We examined 4 questions: whether local and global models are "personal data" as per the GDPR; what the "roles" as defined by the GDPR of various parties in FL are; who controls the data at various stages of the training process; and how, if at all, the use of privacy-enhancing technologies affects these findings. RESULTS: We identified and summarized the findings of 56 relevant publications on FL. Local and likely also global models constitute personal data according to the GDPR. FL strengthens data protection but is still vulnerable to a number of attacks and the possibility of data leakage. These concerns can be successfully addressed through the privacy-enhancing technologies SMPC and DP. CONCLUSIONS: Combining FL with SMPC and DP is necessary to fulfill the legal data protection requirements (GDPR) in medical research dealing with personal data. Even though some technical and legal challenges remain, for example, the possibility of successful attacks on the system, combining FL with SMPC and DP creates enough security to satisfy the legal requirements of the GDPR. This combination thereby provides an attractive technical solution for health institutions willing to collaborate without exposing their data to risk. From a legal perspective, the combination provides enough built-in security measures to satisfy data protection requirements, and from a technical perspective, the combination provides secure systems with comparable performance with centralized machine learning applications.

Exploring the Relationship Between Privacy and Utility in Mobile Health: Algorithm Development and Validation via Simulations of Federated Learning, Differential Privacy, and External Attacks.

BACKGROUND: Although evidence supporting the feasibility of large-scale mobile health (mHealth) systems continues to grow, privacy protection remains an important implementation challenge. The potential scale of publicly available mHealth applications and the sensitive nature of the data involved will inevitably attract unwanted attention from adversarial actors seeking to compromise user privacy. Although privacy-preserving technologies such as federated learning (FL) and differential privacy (DP) offer strong theoretical guarantees, it is not clear how such technologies actually perform under real-world conditions. OBJECTIVE: Using data from the University of Michigan Intern Health Study (IHS), we assessed the privacy protection capabilities of FL and DP against the trade-offs in the associated model's accuracy and training time. Using a simulated external attack on a target mHealth system, we aimed to measure the effectiveness of such an attack under various levels of privacy protection on the target system and measure the costs to the target system's performance associated with the chosen levels of privacy protection. METHODS: A neural network classifier that attempts to predict IHS participant daily mood ecological momentary assessment score from sensor data served as our target system. An external attacker attempted to identify participants whose average mood ecological momentary assessment score is lower than the global average. The attack followed techniques in the literature, given the relevant assumptions about the abilities of the attacker. For measuring attack effectiveness, we collected attack success metrics (area under the curve [AUC], positive predictive value, and sensitivity), and for measuring privacy costs, we calculated the target model training time and measured the model utility metrics. Both sets of metrics are reported under varying degrees of privacy protection on the target. RESULTS: We found that FL alone does not provide adequate protection against the privacy attack proposed above, where the attacker's AUC in determining which participants exhibit lower than average mood is over 0.90 in the worst-case scenario. However, under the highest level of DP tested in this study, the attacker's AUC fell to approximately 0.59 with only a 10% point decrease in the target's R2 and a 43% increase in model training time. Attack positive predictive value and sensitivity followed similar trends. Finally, we showed that participants in the IHS most likely to require strong privacy protection are also most at risk from this particular privacy attack and subsequently stand to benefit the most from these privacy-preserving technologies. CONCLUSIONS: Our results demonstrated both the necessity of proactive privacy protection research and the feasibility of the current FL and DP methods implemented in a real mHealth scenario. Our simulation methods characterized the privacy-utility trade-off in our mHealth setup using highly interpretable metrics, providing a framework for future research into privacy-preserving technologies in data-driven health and medical applications.