Privacy-Preserving ECG Classification

Updated 25 February 2026

Privacy-Preserving ECG Classification encompasses methods that securely analyze ECG data using cryptographic protocols, federated learning, and synthetic data generation.
These techniques achieve high diagnostic performance (e.g., 81–98% AUROC) while balancing the trade-offs between accuracy and patient confidentiality.
Recent advancements integrate explainable AI and efficient encryption schemes to support scalable, real-time, and multi-site ECG analysis in clinical and IoT settings.

Privacy-preserving ECG classification refers to computational techniques that enable the accurate detection and diagnosis of cardiac conditions from electrocardiogram (ECG) data without exposing sensitive patient information. These systems leverage advanced distributed learning, cryptographic protocols, and data transformation schemes to mitigate privacy risks in diagnostic applications, while retaining high clinical performance. Methods span federated learning (FL), differential privacy (DP), homomorphic encryption (HE), data masking, and synthetic data generation, each enforcing unique privacy and utility tradeoffs.

1. Federated Learning and Differential Privacy in Multi-Site ECG Classification

Federated Learning (FL) with optional Differential Privacy (DP) is a leading paradigm for privacy-preserving ECG classification at scale, particularly in multi-institutional clinical networks. Agrawal et al. implemented FL and DP methods on 1,565,849 12-lead ECG tracings across 7 hospitals, each storing data locally and exchanging only model parameters (Agrawal et al., 2024).

FL Workflow for ECGs

Each site computes the local binary cross-entropy loss,

$L_k(w) = \sum_{i\in D_k}\ell(f_w(x_i), y_i)$

where $\ell$ is binary cross-entropy and $D_k$ is the dataset at site $k$ .

The model architecture processes $12\times5000$ ECG matrices (per sample), plus two demographic features (age, sex), through a deep convolutional backbone and residual blocks for feature extraction and classification.
In each round, all sites perform local (potentially DP-SGD) training on their private data and communicate updated weights $w^t_k$ to the server, which aggregates via

$w^{t+1} = \sum_{k=1}^K \frac{n_k}{n} w^t_k$

where $n_k$ is the number of ECGs at site $k$ , $n=\sum_k n_k$ .

For DP, each site applies DP-SGD with per-record gradient clipping and Gaussian noise addition. The server uses a Rènyi Differential Privacy (RDP) accountant to track aggregate privacy loss, typically aiming for $\delta=10^{-5}$ and evaluating AUROC as a function of $\epsilon$ .

Empirical Performance and Tradeoffs

FL alone achieves ~81% AUROC, within 1% of pooled data training (82%), on 10-way multi-label diagnosis.
Adding DP (e.g., $\epsilon=10$ ) incurs a minor (1-2%) drop. AUROC degrades to 0.60–0.65 at $\epsilon=1$ and approaches random at $\epsilon=0.5$ .
Small hospitals (14–20k ECGs) achieve 82% AUROC via FL (vs 74-76% for local-only models), showing robust transfer of rare-condition signals.
The setup requires GPU-enabled clients and secure parameter exchange channels; DP’s utility-privacy tradeoff should be calibrated per site and use-case (Agrawal et al., 2024).

2. Privacy-Preserving ECG Classification via Homomorphic Encryption

ECG diagnosis over encrypted data is tractable using modern homomorphic encryption (HE) or hybrid schemes.

Fully Homomorphic Encryption and Real-Time Analysis

The ECG-PPS system employs both AES for transmission/storage and CKKS Fully Homomorphic Encryption (FHE) for in-cloud analytics on real-time three-lead ECGs (Yuksel et al., 2024). The workflow combines synchronous visualization (AES-decrypted) with homomorphic batch analytics:

Raw ECG segments are filtered and AES-encrypted at the device, then stored in the cloud and visualized by authorized clients.
For analytics, batches undergo CKKS encryption; the cloud computes statistical metrics (mean, variance), and applies a lightweight 1-conv CNN classifier for arrhythmia detection without decryption.
Classification performance reaches 97.8% accuracy (MIT-BIH), with per-class recall >95%.
AES ensures real-time throughput; CKKS supports privacy-preserving analytics at 0.2 Hz/window, with end-to-end batch delays of a few seconds.

Hybrid Homomorphic Encryption for Cloud-based Inference

GuardML leverages Hybrid Homomorphic Encryption (HHE) combining PASTA (symmetric cipher) and BFV (leveled HE) to offload ECG inference to the cloud (Frimpong et al., 2024):

Client encrypts ECG samples using PASTA, then homomorphically encrypts the symmetric key with BFV; the cloud runs a decryption circuit under HE, then evaluates the classifier over encrypted ECG.
Model is a single-layer integer-weighted FC network, achieving 87.4% accuracy on encrypted data (vs 87.3% plaintext int, 87.9% float).
Communication cost is dominated by encrypted result download; computation is cloud-weighted, sustaining sub-10ms per-sample client latency.

Matrix-based Protocol for SVM

Matrix encryption protocols allow fast, secure client-server SVM classification (Miao et al., 2022):

Raw ECG features are masked using random commutative matrices, permitting feature-space projection and kernel evaluation in encrypted form.
Accuracy remains indistinguishable from plaintext SVM ( $\sim$ 98.8% AUC on MIT-BIH); latency per 10-beat query <1s on commodity clients.

3. Secure ECG Data Masking and Multi-Level Encryption

Multi-level, reversible masking using compressive sensing obfuscates diagnostic evidence from partially credentialed users (Impiö et al., 2021):

ECG signals are compressed using a random Gaussian matrix with time/frequency-domain masking that perturbs windows (around R-peaks or in bands), and watermarked for full reversibility.
Fully-authorized users can invert and recover detailed ECGs for standard anomaly classification (accuracy 0.79), while semi-authorized users receive only partially masked data, suppressing anomaly classification (accuracy drops to 0.53) but retaining QRS detection (recall 0.83).
The tuning of masking ratio (MR) allows explicit utility-privacy trade-offs.

4. Federated Learning in Distributed and IoT Environments

FL is applicable across clinical and IoT environments for ECG classification.

FL with Gramian Angular Field (GAF) Encoding

Castro Villegas et al. introduced an FL framework that transforms 1D-ECG to 2D Gramian Angular Field images for CNN-based classification on heterogeneous devices (Elmir et al., 4 Nov 2025):

Devices compute local GAF representations and train 2D-CNNs under FedAvg, never sharing raw data.
Multi-client FL-GAF achieves 95.18% test accuracy (vs 87.3% single-client), with substantial per-class performance improvements (up to +34 percentage points in minority class recall).
The 2D GAF encoding substantially enriches feature map discrimination for CNNs, enabling robust low-resource inference.

FL for Multi-Site Arrhythmia (Feature-Based)

Gutierrez et al. achieve comparable F1 accuracy (0.58–0.61 FL, 0.63 CL) on 27-class arrhythmia detection using robust feature engineering, DNN/LSTM models, and FL on distributed 12-lead ECGs (Gutierrez et al., 2022).

All preprocessing (wavelet, statistical, morphological) is client-local; only global feature statistics are securely aggregated for normalization.
No information leaves the local site except model updates, substantially reducing privacy risk.
They note that non-IID data slows convergence and may reduce accuracy slightly, highlighting future utility of more robust aggregation or DP mechanisms.

Federated Transfer Learning with Explainable AI

Raza et al. integrate FL, transfer learning, and 1D-CNN autoencoders with explainable AI (Grad-CAM), enabling accurate (94–99%) arrhythmia classification and interpretability without exposing raw ECG (Raza et al., 2021).

A modular communication protocol limits shared parameters to encoder and lower classifier layers (reducing communication by ~90%).
XAI overlays visually salient features on ECG beats, supporting clinical explainability.

5. Synthetic Data Generation for Privacy-Preserving Learning

ECG classification can be decoupled from private data via generative models producing synthetic yet realistic signals.

Simulator and Experience Enhanced Diffusion Model (SE-Diff)

SE-Diff couples a latent diffusion model with physiologically-constrained ODE simulators and LLM-augmented clinical context (Wang et al., 13 Nov 2025):

Synthetic ECGs (12-lead, 10s) are generated conditioned on text, demographic, and retrieved report features, regulated by simulator-consistent regularizers.
The synthetic data augment minority classes in imbalanced classification scenarios, recovering 58–72% F1/AUC in label-starved regimes (outperforming older augmentation baselines and closing much of the gap to fully balanced training).
No real patient traces are present in augmented downstream models, enforcing practical privacy.

6. Methodological Trade-offs and Best Practices

Key Trade-offs

FL methods (with or without DP) offer high utility with modest (<5%) accuracy loss compared to full data pooling, but must be calibrated for privacy, especially with aggressive DP budgets ( $\epsilon<1$ yields weak models) (Agrawal et al., 2024).
HE/FHE-based schemes provide strong cryptographic guarantees and are well-suited for offloading to cloud or medical IoT, but typically incur higher computational and communication costs, and may require quantization or reduced model complexity (Frimpong et al., 2024, Yuksel et al., 2024).
Compressive sensing/masking enables controllable “utility for privilege” but may degrade detectability of subtle or rare classes (Impiö et al., 2021).
Synthetic data maintains data minimization but is contingent on generator fidelity and lacks formal DP unless explicitly integrated (Wang et al., 13 Nov 2025).

Recommended Practices

Assess AUROC/accuracy vs. privacy-loss ( $\epsilon$ ) curves per deployment.
Use robust FedAvg as baseline; add DP and secure aggregation as risk increases.
Balance local compute/communication load when deploying to IoT or resource-constrained clients.
Integrate interpretability modules (e.g., Grad-CAM) to aid clinical trust without exposing raw data.
Where feasible, leverage synthetic augmentation to both balance classes and decouple downstream models from protected datasets.