Securing imaging data has become a hot topic in radiology. Though institutions typically deidentify data before using it in research, the practice is harder than it seems and may not completely protect a patient’s privacy.
That’s what new research out of the Mayo Clinic found. A team led by computer scientist Christopher Schwarz, PhD, with Mayo’s Center for Advanced Imaging Research, determined that commercial face recognition software could identify people based on brain MRI scans.
The problem specifically applies to study participants who share brain imaging data for research, not MRIs performed as part of care visits, Schwarz noted in a letter to the editor published Oct. 23 in the New England Journal of Medicine.
"This is only applicable if people can get access to the MRI scans in publicly available research databases,” Schwarz added in a Mayo statement. “It is not related to medical care, where data is secured.”
Imaging data is typically shared only with researchers who legally agree not to attempt to identify patients, but not all experts think that’s enough.
In fact, radiologists debated this issue during a session at this year’s Society for Imaging Informatics in Medicine (SIIM) annual meeting. One expert at the meeting, Adam B. Prater, MD, MPH, of Emory University School of Medicine, said a CT scan data of a patient’s head could be reconstructed into a 3D image. If someone got a hold of that data, they could identify the patient and sell off the data.
To see if facial recognition software could indeed identify people by their MRIs, the team studied 84 participants who had a brain MRI within the past three months. Schwarz and colleagues created facial reconstruction images from each scan and used facial recognition software to try and match the scans to photographs of the volunteers.
The software correctly paired the photos to MRI scans in 70 of the 84 participants, an 83% success rate. And 95% of the time it placed the correct MRI among the top five possible matches.
"Our study's 83% match rate suggests that facial recognition presents a possible means to reidentify research participants from their cranial MRIs," according to the researchers.
Experts at SIIM suggested in-depth data agreements could better protect patient privacy and offer details about how data will be used. Schwarz and Mayo plan to use the present study and develop a possible solution to be published sometime in the near future.
"We are making good progress toward an initial solution," Schwarz explained. "Making data private and keeping it private is an always-evolving field. The insights we gained in this study will help us in our work to keep patient data private and use it more effectively for research into diseases and potential new therapies."