Nexus_HealthAI

Integrating Fitness Analytics with CyberSafety and AI

Comment

Inspiration

Healthcare is the most targeted sector for cyberattacks globally and the consequences go far beyond data loss. A compromised hospital network directly disrupts patient care, treatment workflows, and privacy (SDG 3: Good Health and Well-being). Billing departments are especially exposed: they process high volumes of credit card transactions daily, making administrative staff a prime social engineering target. While PCI-DSS Requirement 12.6 legally mandates security awareness training, existing tools are static, linear, and forgettable. We wanted to build something that actually works " an adaptive, hands-on simulator engineered specifically for healthcare financial staff." But with this we integrate a seamless connection of health insights for a routine check up; once you're fitwear is connected to the app (in future through api) you may see insights. Current version requires users to enter the monthly data as a csv file or through input section.

What it does

HealthAI Nexus is a gamified phishing awareness and clinical intelligence platform built for healthcare environments. It has two modules:

  • The Phishing Simulator drops users into a mock hospital inbox with no hints and no safety net. The AI generates a fresh, randomized mix of phishing and legitimate emails every session — so users can't just click "Phishing" every time. After each answer, red flags and a plain-English explanation are revealed. A live score ring tracks accuracy in real time, and a final AI-generated report delivers a personalised security grade with a specific actionable tip.
  • The Patient Dashboard lets clinical or administrative users enter monthly health metrics and get an instant AI-powered analysis like trend visualisation, five risk indicators, and a structured clinical summary, all without any data leaving the browser unless an API key is explicitly configured.

How we built it

We used a zero-backend, serverless-frontend architecture to maximise deployment speed and eliminate API exposure risk. The entire app is a single static folder ie. open index.html and it runs. The AI layer uses a shifting provider chain: Gemini 2.5 Flash is tried first, then Groq (Llama 3.3 70B) for speed, then OpenRouter (Llama 3.3 70B), then HuggingFace (Mistral 7B), and finally WebLLM as a last resort ie. running a quantised Llama 3.2 model entirely in the browser via WebGPU with no key required at all. Health data is visualised with Chart.js on a multi-axis live graph that updates on every entry.

Challenges we ran into

Being able to obtain reliable, structured JSON from five different AI vendors, with varying responses, limitations, and failure behaviors, meant developing an effective failure chain with retries for each vendor individually, as well as model cycling for each vendor. Achieving a proper balance between the clinical neutrality of the AI generated data (no diagnostic information, only informative), while still producing something usable and readable, required many iterations on the prompts provided. It was also more difficult than I had anticipated to make the phishing emails feel authentic while also being educational afterwards.

Accomplishments that we're proud of

This app does not rely on any API key . WebLLM implies that we can train a hospital IT staff on a device entirely detached from the Internet, which is completely independent from the outside world. Moreover, our phishing tool provides authentic context in case of the wrong answer – each incorrect answer will show all the relevant clues from the email.

What we learned

Urgency is the single most effective phishing vector in healthcare settings like "URGENT: COMPLIANCE AUDIT FAILURE" gets clicks because administrative staff are conditioned to act fast on compliance issues. Engineering against that instinct, rather than just explaining it, is what makes simulation training effective. On the technical side, managing five AI providers gracefully, including a fully in-browser fallback, taught us a lot about designing for real-world API unreliability.

What's next for PhishHealth

Persistent analytics via a lightweight Supabase backend so hospital IT administrators can track department-level compliance scores over time. Role-specific email generation tuned to a user's historical accuracy and harder scenarios as scores improve. A fine-tuned local model for phishing generation that runs entirely on-device, removing the dependency on external AI providers entirely.

Built With

Share this project:

Updates