Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Does BERT Pretrained on Clinical Notes Reveal Sensitive Data?

Eric Lehman, Sarthak Jain, Karl Pichotta, Yoav Goldberg, Byron C. Wallace

TL;DR

The paper investigates privacy risks of releasing pretrained BERT weights trained on non-deidentified EHR notes by systematically probing memorization of personally identifiable information. It employs a mix of fill-in-the-blank templates, probing classifiers, cosine similarity analyses, name-recovery tests, and generation-based attacks using the MIMIC-III dataset with synthetic name insertions. The findings show that simple methods yield signals only marginally above chance and are often weaker than naive frequency baselines, while more sophisticated generation-based approaches produce mixed and inconclusive results, underscoring that PHI leakage via model weights is not yet clearly demonstrated. The work highlights important privacy considerations, provides a replicable experimental setup, and calls for continued development of stronger attacks and safeguards when sharing models trained on sensitive clinical data.

Abstract

Large Transformers pretrained over clinical notes from Electronic Health Records (EHR) have afforded substantial gains in performance on predictive clinical tasks. The cost of training such models (and the necessity of data access to do so) coupled with their utility motivates parameter sharing, i.e., the release of pretrained models such as ClinicalBERT. While most efforts have used deidentified EHR, many researchers have access to large sets of sensitive, non-deidentified EHR with which they might train a BERT model (or similar). Would it be safe to release the weights of such a model if they did? In this work, we design a battery of approaches intended to recover Personal Health Information (PHI) from a trained BERT. Specifically, we attempt to recover patient names and conditions with which they are associated. We find that simple probing methods are not able to meaningfully extract sensitive information from BERT trained over the MIMIC-III corpus of EHR. However, more sophisticated "attacks" may succeed in doing so: To facilitate such research, we make our experimental setup and baseline probing models available at https://github.com/elehman16/exposing_patient_data_release

Does BERT Pretrained on Clinical Notes Reveal Sensitive Data?

TL;DR

The paper investigates privacy risks of releasing pretrained BERT weights trained on non-deidentified EHR notes by systematically probing memorization of personally identifiable information. It employs a mix of fill-in-the-blank templates, probing classifiers, cosine similarity analyses, name-recovery tests, and generation-based attacks using the MIMIC-III dataset with synthetic name insertions. The findings show that simple methods yield signals only marginally above chance and are often weaker than naive frequency baselines, while more sophisticated generation-based approaches produce mixed and inconclusive results, underscoring that PHI leakage via model weights is not yet clearly demonstrated. The work highlights important privacy considerations, provides a replicable experimental setup, and calls for continued development of stronger attacks and safeguards when sharing models trained on sensitive clinical data.

Abstract

Large Transformers pretrained over clinical notes from Electronic Health Records (EHR) have afforded substantial gains in performance on predictive clinical tasks. The cost of training such models (and the necessity of data access to do so) coupled with their utility motivates parameter sharing, i.e., the release of pretrained models such as ClinicalBERT. While most efforts have used deidentified EHR, many researchers have access to large sets of sensitive, non-deidentified EHR with which they might train a BERT model (or similar). Would it be safe to release the weights of such a model if they did? In this work, we design a battery of approaches intended to recover Personal Health Information (PHI) from a trained BERT. Specifically, we attempt to recover patient names and conditions with which they are associated. We find that simple probing methods are not able to meaningfully extract sensitive information from BERT trained over the MIMIC-III corpus of EHR. However, more sophisticated "attacks" may succeed in doing so: To facilitate such research, we make our experimental setup and baseline probing models available at https://github.com/elehman16/exposing_patient_data_release

Paper Structure

This paper contains 31 sections, 1 equation, 4 figures, 13 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Dataset
  4. Enumerating Conditions
  5. Model and Pretraining Setup
  6. Contextualized Representations (BERT)
  7. Static Word Embeddings
  8. Methods and Results
  9. Fill-in-the-Blank
  10. Generic Templates
  11. Results
  12. Masking the Condition (Only)
  13. Probing
  14. Differences in Cosine Similarities
  15. Can we Recover Patient Names?
  16. ...and 16 more sections

Figures (4)

  • Figure 1: Overview of this work. We explore initial strategies intended to extract sensitive information from BERT model weights estimated over the notes in Electronic Health Records (EHR) data.
  • Figure A1: A distribution of ICD-9 codes and how many patients (of the 27K) have each condition. All bin end values are not inclusive.
  • Figure A2: A distribution of MedCAT codes and how many patients (of the 27K) have each condition. All bin end values are not inclusive.
  • Figure A3: Per-length performance of both ICD-9 and MedCAT labels for the 'masked conditon' (only) experiments. A bin length of $k$ contains conditions comprising $k$ token pieces.