I’ve started over the past few weeks to play with Apple’s new CareKit API.

And I thought it’d be interesting to put together a demo app using GWT (for a web front-end service), Java and Postgres (on the back end), and iOS (with CareKit and ResearchKit) for the iOS app.

Of course the project is incomplete. It does demonstrate basic account management, as well as mobile onboarding, but at present the code to edit care instructions or gather information from the mobile device is not working.

Important note: The code is not HIPPA compliant. Specifically not logging has been wired in to track access to patient data. This code should not be used in a medical setting, at least without a thorough understanding of the security issues involved with handling patient data, and without adding the necessary code for HIPPA compliance, including finer grained security access, and security auditing.

This does demonstrate a couple of interesting features, which I believe are critical when working on a mobile application in a health care setting:

• A Diffie-Hellman key exchange which encrypts the data that is exchanged. Private confidential information is encrypted in such a way so that even using a tool like Charles to reveal the contents of the packets will reveal no confidential information. (This algorithm is even implemented within GWT, so confidential information on the front-end web site is preserved in the face of an SSL “man in the middle” attack. Note that a number of firewall/antivirus products will generate a certificate which permits those products to examine all data between a client and server–so simply using SSL is insufficient in securing data between a client and server.)
• An “Apple-TV” style login process, whereby the user logs in on the web, and adds his mobile device by entering an 8-character string displayed on his phone. This greatly simplifies the process of adding a device to an account–which is important for elder patients who may not have the motor skills to use the built-in keyboard on iOS.

Of course there are a bunch of things I haven’t completed yet, but which I intend to tinker with over the next few weeks and months:

• Allowing a care plan to be edited in the GWT front end, so that a medical professional can create a care plan, and securely synchronize that plan with a mobile device.
• Allow compliance and measurement information to be sent from the mobile device to the back-end, but with checks to determine if network access is available. The idea here is to allow information to be synchronized when the network is available, but only occasionally: data is cached and sent perhaps daily rather than at the moment when the measurement is taken.
• Allow compliance information to be viewed on the web by a care professional.

There are other features that would need to be added to make this a functional application. Specifically:

• A greater degree of access control and access authentication would need to be provided, in order to allow users to only view patient information they are authorized to view.
• Logging and auditing information would need to be provided to log all access to sensitive information, and to allow audits of sensitive information to be performed.
• Ideally this would also be integrated into a larger ERM system for patient care.

I do believe applications like CareKit are the wave of the future, in that it empowers users to have greater control over their own medical care, which is why I started playing with the software in the first place.

Complete sources can be found on GitHub.