A new encryption framework lets hospitals train medical foundation models together without ever sharing raw patient data or risking privacy leaks.

Can we build powerful medical AI without exposing sensitive patient records to hackers? Hospitals want to collaborate, but traditional data sharing is a privacy minefield. Even standard federated learning, where institutions train models locally and share parameters, remains vulnerable to reverse-engineering attacks.

For years, medical AI has been stuck in silos. Individual hospitals do not have enough diverse data to train robust foundation models, yet privacy laws rightly prevent them from pooling patient files. This new framework, called FOCAL, challenges the assumption that we must trade clinical accuracy for absolute privacy. By processing fully encrypted data through split training, it suggests that secure, multi-institution AI development is a practical reality. This shifts the industry standard for what counts as safe medical collaboration.

Zero leaks and better accuracy

The researchers tested FOCAL against gradient inversion attacks, which attempt to reconstruct private images from model updates. The results show a stark contrast to traditional methods:

• Data leakage dropped from 90.6% to 0% under active attacks.
• The macro-average AUROC rose from 0.5202 to 0.9831 compared to fully encrypted federated learning models.
• Ocular disease diagnosis AUROC improved by 9.62% over single-institution models.
• Ocular severity classification AUROC increased by 14.46%.

This performance leap is crucial. Previous attempts to use homomorphic encryption in healthcare often crippled model accuracy or required too much computing power, as documented in a comprehensive survey on secure healthcare data processing. FOCAL bypasses this trade-off. It matches the accuracy of state-of-the-art federated learning while keeping the data locked.

The real-world hurdles

Why does this finding matter? It means medical networks can train large foundation models on diverse, real-world pathology and retinal datasets without legal or ethical bottlenecks. It proves that decentralized healthcare AI does not need to rely on trust alone.

However, homomorphic encryption still carries a heavy computational cost. While FOCAL optimizes this via split training, running these workflows across hundreds of smaller clinics with limited hardware remains a challenge. Similar scaling hurdles have been noted in broader secure federated learning research. Until we see benchmarks on standard hospital servers, widespread adoption may lag behind the math.

External validations on retinal and pathology models confirmed that FOCAL maintains reliable interpretability. This is vital because clinicians will not trust a “black box” model, even if it is perfectly secure. By proving that encrypted collaborative learning can outperform isolated, single-institution models, this framework sets a new benchmark for clinical AI development.

Read the full preprint at medRxiv.