Secure Medical Data Collection in the Internet of Medical Things Based on Local Differential Privacy

Abstract

As big data and data mining technology advance, research on the collection and analysis of medical data on the internet of medical things (IoMT) has gained increasing attention. Medical institutions often collect users’ signs and symptoms from their devices for analysis. However, the process of data collection may pose a risk of privacy leakage without a trusted third party. To address this issue, we propose a medical data collection based on local differential privacy and Count Sketch (MDLDP). The algorithm first uses a random sampling technique to select only one symptom for perturbation by a single user. The perturbed data is then uploaded using Count Sketch. The third-party aggregates the user-submitted data to estimate the frequencies of the symptoms and the mean extent of their occurrence. This paper theoretically demonstrates that the designed algorithm satisfies local differential privacy and unbiased estimation. We also evaluated the algorithm experimentally with existing algorithms on a real medical dataset. The results show that the MDLDP algorithm has good utility for key-value type medical data collection statistics in the IoMT.

1. Introduction

As technologies such as the internet of things, artificial intelligence, and big data continue to advance, digital medical technologies [1] are being applied more widely. With the widespread adoption of the internet of medical things (IoMT), users can easily upload relevant physical sign data and diagnostic results through their devices [2,3], including smartwatches, smartphones, and other wearable devices. This allows medical institutions to effectively monitor regional disease conditions by collecting and analyzing patient symptom data [4]. Additionally, the Centers for Disease Control and Prevention (CDC) can even predict further infectious disease outbreaks [5]. However, while people benefit from medical big data, user personal information and related data are highly vulnerable to leakage, which can be accessed and even maliciously used by others as the data is released and shared. The leakage of users’ disease information can cause a serious psychological burden to users and negative social impacts [6]. To prevent this, the privacy protection of medical information is vital in the development of medical big data and the IoMT.

Health privacy is a major concern for individuals and society, as demonstrated by laws such as the European General Data Protection Regulation (GDPR) [7]. The IoMT involves the use of devices to collect and generate large amounts of health data, which can be vulnerable to privacy breaches from untrustworthy data collectors and attackers during the data collection and dissemination processes [8]. To protect the privacy of user data, various techniques have been developed, including identification [9], anonymity [10], and differential privacy [11,12]. The identification process adopts the identity authentication mechanism for each user, and the user must log in to the system with their own identity to ensure the security of the user’s data. In the process of data collection, anonymity achieves the goal of privacy protection by deleting or hiding identifying attributes, and differential privacy protect data by adding noise. These techniques can provide a certain level of privacy protection in specific scenarios, however, they may have limitations in their applicability to the IoMT and often require the involvement of trusted third parties for data collection. Local differential privacy (LDP) [13] is a privacy protection technique that aims to protect data privacy by adding noise to the data collection and analysis processes. It has been proposed as a solution that does not require a trusted third party and addresses the limitations of anonymity and differential privacy models. Research on how to implement local differential privacy protection is currently a focus in academia and industry.

In recent years, there has been a significant amount of research on local differential privacy, and it has been applied in various fields. Google uses the RAPPOR [14] method for data collection in the Chrome browser, Apple [15] uses local differential privacy algorithms for statistical analysis of user emoticons, and Samsung proposed Harmony [16], based on local differential privacy, for collecting and analyzing on-device data. However, there has not yet been a feasible privacy protection method proposed for key-value medical data under the IoMT, so this paper focuses on addressing this problem.

There are three main challenges in solving this problem. The first one is how to design a reasonable perturbation scheme for key-value type medical data that maintains the correlation between keys and values, thereby improving the accuracy when counting the data. The second one is to design data collection schemes that minimize noise error and communication costs for data collectors in the IoMT. The last is to ensure that the designed method should satisfy local differential privacy and unbiased estimation.

To address these challenges, we propose the MDLDP method, which is based on local differential privacy and the Count Sketch [17] structure. The main contributions of this paper are as follows:

• To the first challenge, we propose MDLDP. Unlike existing algorithms that cannot handle key-valued data [18] or treat users’ data keys and values separately, MDLDP perturbs data keys uniformly and locally, maintaining the correlation and availability between data.
• To deal with the second challenge, we propose to encode and collect user data through the Count Sketch, which can be effectively used for large-scale data collection.
• We theoretically analyzed that MDLDP satisfies $ϵ$-local differential privacy, and that frequency and mean estimations are unbiased. We also compared MDLDP in terms of mean square error and relative error for frequency and mean estimations through comparative experiments to verify its effectiveness in protecting the privacy of key-value type medical data in the IoMT.

2. Related Work

2.1. Privacy Protection in IoMT

The widespread adoption of IoMT devices in the healthcare industry has the potential to revolutionize patient care through the collection and analysis of real-time health data. However, the use of these devices also raises concerns about privacy and security, as the collected data may contain sensitive and personal information. To address these concerns, various privacy protection techniques have been proposed, including the use of secure communication protocols, anonymization techniques, and differential privacy [9,10,11,12].

While these techniques can provide some level of privacy protection, they have their own limitations and may not be fully applicable to the IoMT context. For example, secure communication protocols and anonymization techniques may not provide sufficient protection and may be unable to resist homogeneous attacks and background knowledge attacks. Differential privacy relies on trusted third parties, which can be vulnerable to data breaches. In this paper, we propose the use of local differential privacy [13] as a solution to address these limitations and protect the privacy of IoMT-collected healthcare data. Our proposed approach aims to solve the problem of user privacy protection in the IoMT by applying local differential privacy to the data collection process.

2.2. Local Differential Privacy

Unlike differential privacy, which relies on a trusted third party to add noise to the data, local differential privacy allows each user to locally perturb their own data using a random response mechanism [19] before submitting the noisy results to the untrusted data collector for privacy protection. Currently, the research on local differential privacy consists of frequency publishing, mean publishing, and frequent itemset mining. The RAPPOR [14] method, proposed by Google, uses Bloom filter [20] encoding and randomized response [19] to provide local protection for user browsing records. The SHist method [21], proposed by Cormode et al. uses hashing and matrix projection techniques to reduce communication costs. Wang et al. [22] propose the OUE and OLH methods, which use unary coding and local hashing to improve estimation accuracy. Ye et al. [23] propose the PrivKV method, a key-value type data collection scheme. Gu et al. [24] propose the PCKV algorithm, which optimizes the PrivKV method and uses a sampling-filling technique to collect key-value data without splitting the privacy budget.

In this paper, we proposed an algorithm that can effectively collect key-value type medical data in the IoMT. Our proposed methods address the limitations of existing approaches, which often struggle with the need for frequent segmentation of privacy budgets and the inability to handle sparse key-value domains.

3. Preliminaries and Problem Definition

3.1. Preliminaries

Definition 1.

$ϵ$-Local Differential Privacy. For a randomized algorithm$ℳ$with the domain of definition$Dom(ℳ)$and domain of values$Range(ℳ)$. It is possible for pairs of input values$d$and$d^{\prime }$(where$d$,$d^{\prime }\in Dom(ℳ)$) to produce the same output$y\in Range(ℳ)$, it holds:

$$\mathrm{Pr}\left[ℳ\left(\mathrm{d}\right)=\mathrm{y}\right]\le {\mathrm{e}}^{ϵ}\times \mathrm{Pr}\left[ℳ\left( \mathrm{d} \prime \right)=\mathrm{y}\right],$$

(1)

The algorithm $ℳ$ satisfies $ϵ$-local differential privacy, where $ϵ$ is the privacy budget. A smaller $ϵ$ value indicates stronger privacy protection provided by $ℳ$.

Theorem 1.

Sequential Composition [25]. A set of randomized algorithms$ℳ=\left\{{ℳ}_1,{ℳ}_2,\dots ,{ℳ}_{𝓃}\right\}$applied to the same dataset$D$. If${ℳ}_{𝒾}\left(1\le i\le n\right)$satisfies$ϵ$-local differential privacy,$ℳ$satisfies$\left(\sum _i{ϵ}_i\right)$local differential privacy on dataset$D$.

Theorem 2.

Parallel Composition [25]. A dataset$\mathrm{D}$that is divided into$\mathrm{n}$disjoint subsets,$\mathrm{D}=\left\{\mathrm{D}1,\mathrm{D}2,\dots ,\mathrm{Dn}\right\}$, and an$ϵ$-local differential privacy algorithm$ℳ$. The algorithm$ℳ$satisfies$ϵ$-local differential privacy when applied to each subset individually.

Definition 2.

Randomized Response [19]. Let$\mathrm{v}$be a user’s binary value,$\hat{\mathrm{v}}$is responded. For any$\mathrm{v}$, there is:

$$Pr\left[\widehat{v}=v\right]=\{\begin{array}{ll}\frac{e^{ϵ}}{e^{ϵ}+1},\hfill & \mathrm{if} \widehat{v}=v\hfill \\ \frac{1}{e^{ϵ}+1},\hfill & \mathrm{if} \widehat{v}\ne v\hfill \end{array},$$

(2)

The randomized response outputs the true value with probability $\frac{e^{ϵ}}{e^{ϵ}+1}$ and outputs the opposite value with probability $\frac{1}{e^{ϵ}+1}$. However, the traditional randomized response technique is only suitable for binary attributes. To expand its applicability to a wider range of attributes, the generalized randomized response has been proposed.

Definition 3.

Generalized Randomized Response [26]. Let$\mathrm{v}\in \mathrm{R}$be a user’s input, where$\mathrm{R}$is a set of the true values users can have and the length of$\mathrm{R}$is$\mathrm{d}$,$\hat{\mathrm{v}}$is responded. The generalized randomized response works as:

$$Pr\left[\widehat{v}=v\right]=\{\begin{array}{ll}\frac{e^{ϵ}}{e^{ϵ}+d-1},\hfill & \mathrm{if} \widehat{v}=v\hfill \\ \frac{1}{e^{ϵ}+d-1},\hfill & \mathrm{if} \widehat{v}\ne v\hfill \end{array},$$

(3)

The generalized randomized response is a statistical technique that is similar to the traditional randomized response technique, however, it is designed to be applicable to a wider range of attributes beyond just binary attributes.

Definition 4.

Count Sketch [17]. Count sketch is a data structure that is used to estimate the frequency of items in a large dataset. It consists of an array of counters and a hash function. The array of counters is used to store the frequency estimates for each item, and the hash function is used to map each item to a specific counter in the array. When an item is added to the count sketch, it is hashed using the hash function and the corresponding counter in the array is incremented. To estimate the frequency of an item, the item is hashed using the same hash function and the value of the corresponding counter is returned as an estimate of the frequency.

Count Sketch allows for efficient frequency estimation of items in large datasets without the need to store the entire dataset in the memory and it is a useful tool for data analysis and has applications in a variety of fields, including machine learning, data mining, and information retrieval.

3.2. Problem Definition

This paper focuses on the problems of frequency estimation and mean estimation of medical data in the IoMT. Frequency estimates are used to measure symptoms, signs, etc., while mean estimates are used to measure their extent. In the following section, we will model these problems using local differential privacy.

Let $U$ be a set of $n$ users, $U=\left\{u_1,u_2,\dots ,u_n\right\}$. Let $K$ be a set of d vital signs and symptoms, $K=\left\{k_1,k_2,\dots ,k_d\right\}$. The values of the original symptoms and vital signs are mapped to the interval $\left[0,1\right]$ by scaling, and represented as $V$. For each user $u_i$, there is a set of symptoms $S_i=\left\{\langle k_j,v_j\rangle |1\le j\le l_i,k_j\in K,v_j\in V\right\}$ of length $l_i$, where each symptom $k_j$ is associated with a corresponding value $v_j\in V$. For example, as shown in Figure 1, a user may have symptoms such as cough, fever, and sneezing, each with a corresponding degree of severity.

Here, we define the frequency and mean estimates of physical symptoms as follows:

Definition 5.

Frequency Estimation of Symptoms. The frequency estimate of a physical symptom is the number of$u_i$who have reported experiencing the symptom$k$and the value of symptom$k$is v in the set of$u_i$’s all symptoms$S_i$, divided by the total number of$n$users in the sample. It is calculated as follows:

$$f_k=\frac{\left|\{{\sum }_1^n{u}_i\right|\exists \left(k,\mathrm{v}\right)\in S_i\left\}\right|}{\mathrm{n}},$$

(4)

Definition 6.

Mean Estimation of Symptoms. The mean estimate of a physical symptom is the average severity of the symptom among all users who have reported experiencing it. It is calculated by summing the values of the symptom for all users who have reported experiencing it, and dividing by the total number of users who have reported the symptom. It is calculated as follows:

$${\mu }_k=\frac{\left\{\sum v\right|\left(u_i\in U,\exists \left(k,v\right)\in S_i\right)\}}{n{f}_k},$$

(5)

In practical usage scenarios, it is not necessary to have accurate estimates of vital signs and physical symptoms. For example, epidemic prevention authorities may only need to determine the general spread of a disease in a region based on specific symptoms, rather than precise counts. However, it is important to ensure the relative precision and availability of the data. Therefore, in this paper, we will use the mean square error (MSE) and relative error (RE) to measure the accuracy of frequency estimation and mean estimation and aim to obtain results with errors as small as possible.

4. Algorithm for Medical Data Collection under LDP

4.1. System Architecture

The system architecture used by MDLDP is shown in Figure 2, which shows the specific operation and interaction methods between users and third parties. The system architecture layout is relatively simple, reduces the system overhead, and has practicability and security.

Users locally encode and perturb their sign and symptom degree. In the process of local encoding, the user data is extracted by sampling-filling technology. Then the local disturbance is carried out by GRR, and the disturbance result is uploaded. A single user only needs to upload one set of data. Then a third party aggregates the perturbed data for statistics. In the process of communication, Count Sketch is fully used to reduce the cost of user including computation, communication and storage.

4.2. Algorithm Design

The algorithm works by first encoding the original user data. Then, it randomly selects a data sample for discretization and perturbation, and maps the perturbated results through Count Sketch. Finally, the data collector aggregates and reduces the statistics of the perturbed Sketch submitted by the user in order to obtain statistical information about the user data while protecting the privacy of the user. The overall design of MDLDP is illustrated in Figure 3.

The MDLDP algorithm is based on local differential privacy and uses Count Sketch to collect large-scale data statistics. The specific implementation is shown in Algorithm 1.

Algorithm 1: MDLDP algorithm

Input: A set of key-value pairs $S=S_1,S_2,\dots ,S_n$ for $n$ users, the value domain of symptoms $K=k_1,k_2,\dots ,k_d$, the size of symptoms $d$, perturbation probability $p$ and $q$, error parameter $\xi$, probability confidence $\delta$, privacy budget $ϵ$ Output: frequency estimation $\widehat{f}$, mean estimation $\widehat{\mu }$

$\widehat{f}\leftarrow ⌀$, $\widehat{\mu }\leftarrow ⌀$ $t\leftarrow \lceil \ln \frac{1}{\mathsf{\delta }}\rceil , w\leftarrow \lceil \frac{1}{{\xi }^2}\rceil$ choose a set of 2-universal hash functions $H=h_1,h_2,\dots ,h_t$ to mapping $K$ to $\left[w\right]$ choose a set of 2-universal hash functions $G=g_1,g_2,\dots ,g_t$ to mapping $K$ to {$-1,+1\}$ for $i\leftarrow 1$ to $n$ do: $\hspace{1em}\hspace{1em}\left(j,\langle k_j^{*},v_j^{*}\rangle \right)$$\leftarrow$ MDLDP-LRR ($S_i,ϵ$) $\hspace{1em}\hspace{1em}{\mathcal{V}}_i\leftarrow$ MDLDP-CS $\left(j,\langle k_j^{*},v_j^{*}\rangle \right),H,G,t,w$) end for $\mathcal{V},{\mathcal{V}}_{-},{\mathcal{V}}_{+}\leftarrow$ MDLDP-Aggregate (${\mathcal{V}}_1,{\mathcal{V}}_2,\dots ,{\mathcal{V}}_n,t,w$) for $j\leftarrow 1$ to $d$ do: $\hspace{1em}\hspace{1em}f\left(k_j\right),c_{+}\left(j\right),c_{-}\left(j\right)\leftarrow median\left\{\mathcal{V}\left[t\right]\left[h_i\left(j\right)g_i\left(j\right))\right]\right|i\in \left[t\right]\}$ $\hspace{1em}\hspace{1em}\widehat{f}\left(k_j\right)\leftarrow \frac{\mathrm{d}\times \widehat{f}\left({\mathrm{k}}_{\mathrm{j}}\right)-\left(1-\mathrm{p}\right)}{\mathrm{p}-\mathrm{q}}$ $\hspace{1em}\hspace{1em}{\mathrm{c}}_{\pm }^{*}\left(\mathrm{j}\right)\leftarrow \frac{{\mathrm{c}}_{\pm }\left(\mathrm{j}\right)+\mathrm{c}\left(\mathrm{j}\right)\left(\mathrm{p}-1\right)}{2\mathrm{p}-1}$ $\hspace{1em}\hspace{1em}\widehat{\mu }\left(k_j\right)\leftarrow \frac{c_{+}^{*}\left(j\right)-c_{-}^{*}\left(j\right)}{c_{+}^{*}\left(j\right)+c_{-}^{*}\left(j\right)}$ $\hspace{1em}\hspace{1em}\widehat{f}\leftarrow \widehat{f}\left(k_j\right){{\displaystyle \cup }}^{ }\widehat{f},\widehat{\mu }\leftarrow \widehat{\mu }\left(k_j\right){{\displaystyle \cup }}^{ }\widehat{\mu },$ end for return $\widehat{f},\widehat{\mu }$

The algorithm consists of four key steps: initialization, encoding and perturbation, sketch construction, and aggregation and data statistics. First, in the initialization process (lines 1–4), we set a preset hash functions $H$ to map symptoms $K$ to an $\frac{1}{{\mathsf{\xi }}^2}$-length bit string and set hash functions $G$ to map input value into $-1,+1$. Then, each user applies the MDLDP-LRR algorithm to perturb their original data (line 6). The perturbed data is then sent to a third party using the MDLDP-CS algorithm (line 7). Finally, the third party aggregates the data submitted by the users using the MDLDP-Aggregate algorithm (line 9), and computes the corrected statistical results (lines 10–16).

4.3. Local Randomized Response and Perturb

In this process, the user side will encode and perturb the operation using the MDLDP-LRR algorithm. Firstly, the set of key-value symptoms owned by the user is uniformly encoded (line 1). The symptoms owned by the user are encoded as $\langle 1,v_i\rangle$, and the symptoms not owned by the user are filled with $\langle 0,0\rangle$ to generate ${S^{\prime }}_i$. After encoding, a random $\langle k_j,v_j\rangle$ of the $j$ symptom is sampled (line 2) for local perturbation (lines 3–8). As shown in Algorithm 2.

Algorithm 2: MDLDP-LRR algorithm

Input: A key-value pair $S_i$ for $u_i$, privacy budget $ϵ$ Output: Key number $j$, key-value $\langle k_j^{*},v_j^{*}\rangle$

$S_i^{\prime }\leftarrow$ Encoding $\left(S_i\right)$ $j\leftarrow random.randint\left(1,\mathrm{len}\left(S_i^{\prime }\right)\right)$ if the $j$-th $\langle k_j,v_j\rangle$ is $\langle 0,0\rangle$:   discretize and perturb <$k_j,v_j$> as follows: $$\langle k_j^{*},v_j^{*}\rangle =\{\begin{array}{c}\langle 0,0\rangle , w.p.p\hfill \\ \langle 1,1\rangle , w.p.\frac{1-p}{2}\hfill \\ \langle 1,-1\rangle ,w.p.\frac{1-p}{2}\hfill \end{array}$$ else if the $j$-th <$k_j,v_j$> is $\langle 1,v\rangle$:   discretize and perturb <$k_j,v_j$> as follows: $\langle k_j^{*},v_j^{*}\rangle =\{\begin{array}{c}\langle 0,0\rangle , w.p.\frac{1+v}{2}\times \frac{1-p_1}{2}+\frac{1-v}{2}\times \frac{1-p_2}{2}\hfill \\ \langle 1,1\rangle , w.p.\frac{1+v}{2}\times p_1+\frac{1-v}{2}\times \frac{1-p_2}{2}\hfill \\ \langle 1,-1\rangle ,w.p.\frac{1+v}{2}\times \frac{1-p_1}{2}+\frac{1-v}{2}\times p_2\hfill \end{array}$ end if return $\left(j,\langle k_j^{*},v_j^{*}\rangle \right)$

Referring to papers [24,27,28], we designed the key-value perturbation schemes that do not require splitting privacy budgets. During the local perturbation process, the key value will undergo a discretization operation, and then a random response will be generated using the GRR algorithm to ensure $ϵ$-local differential privacy. The specific perturbation process is illustrated in Figure 4.

According to the result of the disturbance, the symptoms of user key data will be sent in three forms: $\langle 0,0\rangle ,\langle 1,1\rangle ,\langle 1,-1\rangle$. These forms include $p$, $p_1$, and $p_2$, and maintain the original value probability after disturbance as Definition 3. Specifically, $p=e^{ϵ}/\left(e^{ϵ}+d-1\right)$ where $d=3$ to maintain the original value probability in the disturbance process. This means $p=e^{ϵ}/\left(e^{ϵ}+2\right)$, $p_1=p_2=p$, and $q=\left(1-p\right)/2$.

4.4. Construct Sketch

After the perturbation is completed, the user uploads the data through the MDLDP-CS algorithm. As shown in Algorithm 3.

Algorithm 3: MDLDP-CS algorithm

Input: The $u_i$’s key-value pair $\left(j,\langle k_j^{*},v_j^{*}\rangle \right)$ after perturbation, hash functions $H=h_1,h_2,\dots ,h_t$ and $G=g_1,g_2,\dots ,g_t$, the number of hash functions $t$, the bit number $w$ Output: matrix ${\mathcal{V}}_i$

${\mathcal{V}}_{𝒾}\leftarrow memset\left(array,sizeof\left(array\left[t\right]\left[w\right]\right)\right)$ for $i\leftarrow 1$ to $t$ do: $\hspace{1em}({\mathcal{V}}_{𝒾}\left[t\right]\left[h_i\left(j\right)\right]=g_i\left(j\right)\times v_j^{*}$ end for return ${\mathcal{V}}_{𝒾}$

After locally perturbing the key-value data, the user maps the values into a hash matrix using the MDLDP-CS algorithm (lines 2–4) and then sends the resulting matrix to the data collector.

4.5. Aggregate and Analysis

After receiving the perturbed data from the user, the third party aggregates the sketch using the MDLDP-Aggregate method. The median value of symptom $k$ is then chosen as the appropriate result (line 4) and further statistical analysis is conducted based on this. As shown in Algorithm 4.

Algorithm 4: MDLDP-Aggregate algorithm

Input: All users’ matrix ${\mathcal{V}}_1,{\mathcal{V}}_2,\dots ,{\mathcal{V}}_n$, the number of hash functions $t$, the bit number $w$ Output: The aggregated $\mathcal{V},{\mathcal{V}}_{+},{\mathcal{V}}_{-}$

$\mathcal{V},{\mathcal{V}}_{+},{\mathcal{V}}_{-}\leftarrow memset\left(array,sizeof\left(array\left[t\right]\left[w\right]\right)\right)$ for $i\leftarrow 1$ to $t$ do:   for $j\leftarrow 1$ to $w$ do: $\hspace{1em}\hspace{1em} \mathcal{V}\left[i\right]\left[j\right]=\mathcal{V}\left[i\right]\left[j\right]+\left|{\mathcal{V}}_i\left[j\right]\right|$    if ${\mathcal{V}}_i\left[j\right]=-1$ do: $\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{\mathcal{V}}_{-}\left[i\right]\left[j\right]={\mathcal{V}}_{-}\left[i\right]\left[j\right]+{\mathcal{V}}_i\left[j\right]$    else: $\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{\mathcal{V}}_{+}\left[i\right]\left[j\right]={\mathcal{V}}_{+}\left[i\right]\left[j\right]+{\mathcal{V}}_i\left[j\right]$    end if   end for end for return $\mathcal{V},{\mathcal{V}}_{+},{\mathcal{V}}_{-}$

The different values corresponding to the keys are aggregated into their respective matrices (lines 2–11). In Algorithm 1, the median method is used to select the appropriate result as the statistical value of symptom $k$ (line 11), and further statistical analysis is conducted based on this result.

4.6. Algorithm Analysis

In the following, the MDLDP algorithm will be analyzed and verified from two aspects of privacy and practicality.

4.6.1. Privacy Analysis

Theorem 3.

MDLDP satisfies$ϵ$-local differential privacy.

Proof of Theorem 3.

In the MDLDP-LRR algorithm, the user only needs to spend their privacy budget $ϵ$ on local perturbation. The consumption of the privacy budget is not involved in the other steps of the algorithm. Consider two different key-value pairs $\langle k_1,v_1\rangle$ and $\langle k_2,v_2\rangle$, and the resulting perturbed key-value pair $\langle k^{*},v^{*}\rangle$. As shown in Figure 4, the result of the perturbation for the key-value pairs $\langle k_1,v_1\rangle$ and $\langle k_2,v_2\rangle$ is $\langle 0,0\rangle$, $\langle 1,1\rangle$, and $\langle 1,-1\rangle$, which can be divided into the following three cases to demonstrate that the algorithm satisfies the $ϵ$-local differential privacy requirement.

• $<k^{*},v^{*}\ge \langle 0,0\rangle$:

  $$\begin{array}{ll}\frac{\mathrm{Pr}\left[perturb\left(\langle k_1,v_1\rangle \right)=\langle 0,0\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle k_2,v_2\rangle \right)=\langle 0,0\rangle \right]}& \le \frac{\mathrm{Pr}\left[perturb\left(\langle 0,0\rangle \right)=\langle 0,0\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle 1,\pm 1\rangle \right)=\langle 0,0\rangle \right]}\\ & =\frac{p}{\frac{1+v}{2}\times \frac{1-p_1}{2}+\frac{1-v}{2}\times \frac{1-p_2}{2}}=e^{ϵ}\end{array}$$

  (6)
• $<k^{*},v^{*}\ge \langle 1,1\rangle$:

  $$\begin{array}{ll}\frac{\mathrm{Pr}\left[perturb\left(\langle k_1,v_1\rangle \right)=\langle 1,1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle k_2,v_2\rangle \right)=\langle 1,1\rangle \right]}& \le \frac{\mathrm{Pr}\left[perturb\left(\langle 1,1\rangle \right)=\langle 1,1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle 0,0\rangle \right)=\langle 1,1\rangle \right]}\\ & =\frac{p_1}{\frac{1-p}{2}}=e^{ϵ}\end{array}$$

  (7)

  $$\begin{array}{ll}\frac{\mathrm{Pr}\left[perturb\left(\langle k_1,v_1\rangle \right)=\langle 1,-1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle k_2,v_2\rangle \right)=\langle 1,-1\rangle \right]}& \le \frac{\mathrm{Pr}\left[perturb\left(\langle 1,-1\rangle \right)=\langle 1,-1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle 1,1\rangle \right)=\langle 1,-1\rangle \right]}\\ & =\frac{p_2}{\frac{1-p_1}{2}}=e^{ϵ}\end{array}$$

  (8)
• $<k^{*},v^{*}\ge \langle 1,-1\rangle$:

  $$\begin{array}{ll}\frac{\mathrm{Pr}\left[perturb\left(\langle k_1,v_1\rangle \right)=\langle 1,-1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle k_2,v_2\rangle \right)=\langle 1,-1\rangle \right]}& \le \frac{\mathrm{Pr}\left[perturb\left(\langle 1,-1\rangle \right)=\langle 1,-1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle 0,0\rangle \right)=\langle 1,-1\rangle \right]}\\ & =\frac{p_2}{\frac{1-p_1}{2}}=e^{ϵ}\end{array}$$

  (9)

  $$\begin{array}{ll}\frac{\mathrm{Pr}\left[perturb\left(\langle k_1,v_1\rangle \right)=\langle 1,-1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle k_2,v_2\rangle \right)=\langle 1,-1\rangle \right]}& \le \frac{\mathrm{Pr}\left[perturb\left(\langle 1,-1\rangle \right)=\langle 1,-1\rangle \right]}{\mathrm{Pr}\left[perturb\left(\langle 1,1\rangle \right)=\langle 1,-1\rangle \right]}\\ & =\frac{p_2}{\frac{1-p_1}{2}}=e^{ϵ}\end{array}$$

  (10)

According to the above three cases, it can be deduced that the perturbation of data in MDLDP partially satisfies $ϵ$-local differential privacy.

4.6.2. Practical Analysis

Cormode et al. in Fact 3.5 [29] proved that the Count Sketch returns an unbiased estimator for any point query. So, we have just proven that the MDLDP algorithm satisfies the unbiased estimate with the reduction statistics.

Theorem 4.

MDLDP satisfies the unbiased estimate. In MDLDP, under the perturbation with the probability$p=\frac{e^{ϵ}}{e^{ϵ}+2}$and$q=\frac{1}{e^{ϵ}+2}$, both the frequency estimate$\widehat{f}$of the key and the mean estimate$\widehat{\mu }$of the corresponding value of the key satisfy the unbiased estimate.

Proof of Theorem 4.

We prove from two aspects.

• $E\left[\widehat{f}\right]=f$

User $u_i$ obtains the $j$-th key-value pair by sampling, and each key is sampled with the probability $f_j=\frac{1}{d}$. Sampling $n$ users, the number of $j$-th key is equal to $1$ is $c_{k=1}$, and its probability is $f_{k=1}=\frac{c_{k=1}}{n}$. Disturbance sampling keys for the probability of $0$ and $1$, respectively, $Pr\left[k=0\right]=\left(1-f_{k=1}\right)\times p+f_{k=1}\times q$ and $Pr\left[k=1\right]=\left(1-f_{k=1}\right)\times \left(1-p\right)+f_{k=1}\times \left(1-q\right)$. The sampling satisfies a binomial distribution, to construct the likelihood function $L\left(f_{k=1}\right)=Pr{\left[k=1\right]}^{c_{k=1}}\times {\left(Pr\left[k=0\right]\right)}^{\frac{n}{d}-c_{k=1}}$. The likelihood function is calculated by taking the ln of both sides of $L$ and taking the derivative of the $L$ to deduce the estimator $\begin{array}{c}{\widehat{f}}_k=\frac{d\times f_k-\left(1-p\right)}{p-q}\end{array}$, so there is:

$$\begin{array}{ll}E\left({\widehat{f}}_k\right)& =E\left[\frac{d\times f_k-\left(1-p\right)}{p-q}\right]=\frac{d\times E\left[f_k\right]-\left(1-p\right)}{p-q}\\ & =\frac{f_k\times \left(1-q\right)+\left(1-f_k\right)\times \left(1-p\right)-\left(1-p\right)}{p-q}\\ & =f_k\end{array}$$

(11)

2.

$E\left[\widehat{\mu }\right]=\mu$

Assuming $v_j$ represents the real value and $v_j^{*}$ represents the disturbed value, Formula (5) demonstrates that to prove $E\left[{\widehat{\mu }}_k\right]={\mu }_k$, just prove $E\left[v_j^{*}\right]=v_j$. So, there is:

$$\begin{array}{ll}E\left(v_j^{*}\right)& ={\displaystyle {\displaystyle \sum }_1^n}{v}_j^{*}\times \mathrm{Pr}\left(v_j^{*}\right)\\ & =0\times \left[\frac{1}{2}p+\frac{1}{2}\left(\left(1+v_j\right)p_1+\left(1-v_j\right)\frac{1-p_2}{2}\right)\right]\\ & +1\times \left[\frac{1}{2}\left(\frac{1-p}{2}\right)+\frac{1}{2}\left(\frac{1+v_j}{2}{p}_1+\frac{1-v_j}{2}\frac{1-p_2}{2}\right)\right]\\ & +\left(-1\right)\times \left[\frac{1}{2}\left(\frac{1-p}{2}\right)+\frac{1}{2}\left(\frac{1-v_j}{2}{p}_2+\frac{1+v_j}{2}\frac{1-p_1}{2}\right)\right]\\ & =\frac{v_j\left(e^{ϵ}-1\right)}{2\left(e^{ϵ}+2\right)}\end{array}$$

(12)

In order to satisfy $E\left[v_j^{*}\right]=v_j$, it is necessary to set the correction factor $\frac{2\left(e^{ϵ}+2\right)}{e^{ϵ}-1}$. So that $E\left[v_j^{*}\right]\times \frac{2\left(e^{ϵ}+2\right)}{e^{ϵ}-1}=v_j$ which leads to $E\left[{\widehat{\mu }}_k\right]={\mu }_k$.

4.6.3. Complexity Analysis

The MDLDP algorithm has a time complexity of $O\left(ln\frac{1}{\delta }\right)$ and a space complexity of $O\left(\frac{1}{{\xi }^2}ln\frac{1}{\delta }\right)$ in each phase. In the initialization phase, the time complexity is $O\left(\frac{1}{{\xi }^2}ln\frac{1}{\delta }\right)$, as the algorithm creates $\frac{1}{{\xi }^2}\times ln\frac{1}{\delta }$ hash functions and $\frac{1}{{\xi }^2}\times ln\frac{1}{\delta }$ counters. The space complexity is also $O\left(\frac{1}{{\xi }^2}ln\frac{1}{\delta }\right)$, as the MDLDP-CS algorithm uses $\frac{1}{{\xi }^2}\times ln\frac{1}{\delta }$ counters to store the values. When users update the data, the time complexity is $O\left(1\right)$, as the algorithm only updates a single counter for each item. The space complexity remains $O\left(\frac{1}{{\xi }^2}ln\frac{1}{\delta }\right)$. In the aggregation phase, the time complexity is $O\left(\frac{1}{{\xi }^2}ln\frac{1}{\delta }\right)$, as the algorithm must compute the values of all $\frac{1}{{\xi }^2}ln\frac{1}{\delta }$ hash functions for the given item and retrieve the corresponding counters. The space complexity is $O\left(1\right)$, as the algorithm only stores a single result.

5. Experiment Analysis

5.1. Experiment Environment and Data Set

We used a laptop with 16 GB RAM and an AMD Ryzen 7 6800 H processor, running Windows 11, to implement and test the algorithms in Python.

To evaluate our algorithm, we used the MIMIC-III [30] (Medical Information Mart for Intensive Care) database, a large open-source dataset of intensive care unit patient data. The experimental data for this paper consisted of the D_ITEMS and LABEVENTS tables, which contain a total of 12,488 items and 76,075 records.

The experiment consists of two parts: (1) evaluating the effect of different error $\xi$ and confidence $\delta$ parameters on the performance of the MDLDP algorithm under the same privacy budget and (2) comparing the effect of the MDLDP algorithm with constant $\xi$ error and $\delta$ confidence to other local differential privacy algorithms under different privacy budgets. The experimental parameters are shown in

Table 1. Experimental parameters table.

Parameters	Default Value	Range of Values
Numbers of items	12,488
Numbers of data	76,075
Error	0.07	[0.01, 0.05, 0.07, 0.10]
Confidence probability	0.005	[0.005, 0.025, 0.10, 0.20]
Privacy budget	0.7	[0.1, 0.3, 0.5, 0.7]

.

The experiment will be assessed using the mean squared error (MSE) and relative error (RE) for frequency and mean estimation. Where $f_k$ is the true frequency of the item key, ${\widehat{f}}_k$ is the estimated frequency, $\mu$ is the true mean of the corresponding value, and ${\widehat{\mu }}_k$ is the estimated mean. The relevant metrics are:

Definition 7.

Mean Squared Error (MSE). MSE is a commonly used error measurement method used to quantify the difference between predicted and actual values. It is defined as follows:

$${\mathit{MSE}}_{freq}=\frac{1}{d}\times {\displaystyle \sum }_{k\in K}{\left(f_k-{\widehat{f}}_k\right)}^2$$

(13)

Definition 8.

Relative Error (RE). RE is a commonly used error measurement method used to quantify the difference between predicted and actual values. It is defined as follows:

$$\mathrm{RE}={\mathrm{Stat}}_{\mathrm{k}\in \mathrm{K}}\frac{\left|{\mathrm{f}}_{\mathrm{k}}-{\widehat{\mathrm{f}}}_{\mathrm{k}}\right|}{{\mathrm{f}}_{\mathrm{k}}}$$

(14)

The smaller MSE value and RE value indicate that the difference between predicted and actual values is smaller, and the model’s accuracy is higher.

5.2. Experiment Comparison Analysis

5.2.1. Impact of Parameters

To investigate the influence of the error $\xi$, the confidence probability $\delta$, and the privacy budget $ϵ$ parameters on the MDLDP algorithm, we first specify these parameters. Then we confirm the protocol’s validity by calculating the MSE and RE of the frequency estimation for the top 10 and top 30 most frequent elements. And we have counted the experimental run time under these parameters. We also repeat the experiment several times to reduce error.

First, we set confidence probability $\delta =0.005$ and privacy budget $ϵ=0.7$. Error parameter $\xi$ was $\left[0.01,0.05,0.07,0.10\right]$ to test the effect of the error parameter.

Figure 5a,b show MSE and RE of the frequency estimation. The intuition is that $\xi$ impacts less on MDLDP, due to the RE and MSE is not as $\xi$ increased from 0.01 to 0.10.

Second, we set the confidence probability $\xi =0.07$ and privacy budget $ϵ=0.7$. Confidence probability $\delta$ is $\left[0.005,0.025,0.10,0.20\right]$ to test the effect of the confidence probability.

Figure 6a,b show the MSE and RE of frequency estimation. The intuition is that RE and MSE increased with the increase of $\delta$. This means that increasing the number of hash functions can reduce the accuracy of the perturbed data.

Third, we set the confidence probability $\xi =0.07$ and confidence probability $\delta =0.005$. The privacy budget $ϵ$ was $\left[0.1,0.3,0.5,0.7\right]$ to test the effect of privacy budget.

Figure 7a,b show the MSE and RE of frequency estimation. The intuition is that RE and MSE increased with the increase of privacy budget $ϵ$. This means more privacy budget can increase the accuracy.

Finally, we counted the effect of the different parameters set in the above experiments on the algorithm running time. Based on Figure 8a–c, we can infer that these parameters have basically no effect on the algorithm running time with the current data set. As depicted in Figure 9, the running time of the MDLDP algorithm is linearly related to the size of the input data. The X-axis in the figure represents the size of the data randomly drawn from the dataset, while the Y-axis shows the corresponding running time of the algorithm. The results demonstrate that the algorithm is able to efficiently process large datasets and maintains good scalability as the volume of data increases.

Through our experiments, we investigated the effect of parameter settings on the MDLDP algorithm. Firstly, we discovered that error parameter $\xi$ had a limited effect on accuracy. Secondly, we observed that a higher confidence probability $\delta$ resulted in lower accuracy. Finally, we found that increasing privacy budget $ϵ$ had a positive impact on the accuracy of frequency estimation.

5.2.2. Compare to Other Algorithms

We used MSE and RE to compare the MDLDP algorithm with error parameter $\xi =0.007$ and confidence probability $\delta =0.05$ to the PrivKV [23] and PCKV [24] algorithms, under different privacy budgets in $\left[0.1,0.3,0.5,0.7\right]$.

In Figure 10a,b, we present the MSEs of frequency and mean estimates under different privacy budgets. The results indicate that the MDLDP algorithm performs better than the other algorithms, achieving lower MSE values under the same privacy budget. This demonstrates the effectiveness of the MDLDP algorithm in providing accurate frequency and mean estimates while preserving privacy.

Figure 11a–d present the RE of the top 10–50 elements’ frequency estimation for privacy budgets $ϵ$ of $\left[0.1,0.3,0.5,0.7\right]$. It can be seen from these figures that (1) the relative error of the statistics rises with the number of statistics; (2) the proposed algorithm has a higher accuracy under the same privacy budget.

As shown in Figure 12, we compared the running times of the three algorithms under different privacy budgets $ϵ$ of $\left[0.1,0.3,0.5,0.7\right]$. It can indicate that the three algorithms have similar running times on the current experimental dataset, and the proposed algorithm performs better in frequency estimation and mean estimation with a similar run time to the other algorithms.

The experimental comparison reveals that the MDLDP algorithm proposed has higher data availability than other local differential privacy protection algorithms. The results of our experiments suggest that the MDLDP algorithm can effectively protect medical data collection in the IoMT with high usability.

6. Conclusions

This paper focuses on local differential privacy algorithms for medical data collection in the IoMT and investigates how to estimate the frequency and mean of symptom occurrence under local differential privacy. We propose the MDLDP algorithm and design a random response perturbation that protects key-value type data while preserving the correlations between data, without splitting the privacy budget. We also designed a data collection method using Count Sketch based on local differential privacy. We demonstrate that the algorithm satisfies local differential privacy and unbiased estimation. Through experimental comparisons, we study the impact of different parameters on the performance of the MDLDP algorithm and show that it has higher usability and accuracy in the key-value type medical data collection process compared to other algorithms. In the future, we plan to design better encoding methods and optimize the perturbation technique to improve accuracy further.