Multi-Party Computation

DATE: 11-11-2024 STATUS: FOR REVIEW

 

A promising Privacy Enhancing Technology (PET) is Multi-Party Computation (MPC). MPC is a cryptographic method that allows multiple parties to perform calculations on encrypted data together, without having access to each other's information. Because the data remains encrypted during the entire processing and there is no single point of failure, the chance of data leaks and disclosure is significantly reduced. Only the end result of the analysis is shared, which means that sensitive information remains protected.

Thanks to this setup, MPC offers optimal privacy protection and a high level of confidentiality, even during calculations. It makes it possible to securely share and analyze sensitive data at an individual level (n=1). This allows data from the same person at different organizations to be combined for analysis, something that is not really possible with federated analysis.

Key considerations when selecting MPC vendors

When selecting a vendor that offers MPC solutions, there are a number of critical considerations:

1. IT knowledge and resources required for implementation: Should you opt for a SaaS solution or for local installations?

2. Distribution of roles and setup of the data processor: The choice of implementation will influence who the processor of the data is.

3. Analysis capabilities and performance: The analysis capabilities and performance of the solution should match the needs of the organization and the scale of the project.

4. Governance and approval of analysis scripts: Attention should be paid to the remaining risks around approval processes. Strict script approval offers stronger privacy guarantees than governance rules, because all approvers review the entire script and can thus better prevent statistical disclosure. However, this requires that approvers have sufficient technical knowledge to thoroughly understand the scripts. Governance rules, on the other hand, offer more flexibility in the creation of analysis scripts, but may not prevent all forms of statistical disclosure, creating a trade-off between strict privacy protections and flexibility in analysis.

5. Certifications and audits: Look for relevant certifications and regular audits to ensure security and compliance.

6. Scalability: MPC should be able to scale to larger datasets or a larger number of participants as needed.

7. Transparency of technology used: Clear information about the technologies and processes used promotes trust and better understanding among all participants.

Some Proofs of concept running with MPC technology

• UMC Utrecht + NSK - https://rosemanlabs.com/en/customers/umc-utrecht-when-patient-data-is-too-sensitive-to-share

• Amphia Breda transmural care - https://www.amphia.nl/nieuws/ambitie-inzicht-krijgen-in-de-patientenstroom-door-datagedreven-samenwerken

• Zorggroep Twente – Preventive foot care – (a publication specifically about the hospital data link is expected later this month) - https://rosemanlabs.com/en/customers/nederlandse-vereniging-van-podotherapeuten-nvvp

• DICA bariatric quality registration - https://rosemanlabs.com/en/customers/the-true-impact-of-obesity-care

• Governance in MPC application -https://populationhealthdata.nl/wp-content/uploads/2023/05/Whitepaper-inrichting-Governance-bij-toepassing-MPC.pdf