medical device tamper / clinical IoT — methodology
medical device tamper is not phi walking out the door. it is clinical iot integrity — wrong dose, suppressed alarms, unauthorized config on a pump, bedside monitor, ventilator, or implant tracked by udi inventory logs. evidence lives in device session exports, break-glass override records, and vendor audit trails that may have been re-exported after the event — authenticity scoring flags tampered logs before biomed and risk management cite dose or alarm counts. your job is to prove which physical device changed, when config or therapy diverged from policy, and whether the logs you are holding are complete — before patient safety review and regulatory escalation begin.
what evidence exists and how fast it dies
| artifact | volatility | time to loss |
|---|---|---|
| insulin pump session csv (medtronic / tandem) | rolling on device | overwritten when storage fills or unit is factory-reset |
| intellivue alarm + threshold export | rolling at central station | 30–90 days typical — longer if archived to cmms |
| udi scan + inventory chain export | persistent in asset system | stale after device swap if intake not updated same shift |
| break-glass / emergency access audit | rolling in ehr | 90 days to 6 years depending on retention policy |
| biomed cmms work order + config baseline snapshot | persistent if saved | superseded on next preventive maintenance cycle |
| vendor re-exported device log (text/csv) | persistent if saved | integrity degrades if re-exported after the incident window |
the first 10 minutes
- isolate the suspect device from network write paths — quarantine config push, not just the patient cable.
- photograph device label (udi, serial, firmware) before biomed touches settings.
- export pump / monitor / ventilator session logs from the unit or central station — hash immediately.
- pull udi inventory record for the bedside location — confirm serial matches the physical unit.
- collect break-glass audit for the patient and unit during the reported window.
- preserve cmms baseline config snapshot if biomed has one — do not accept a post-incident re-export alone.
- flag alarm silence or threshold-change events that precede the adverse event timestamp.
- notify clinical engineering and risk management with a factual device timeline — not a root cause yet.
- document collector, time, and hash for every export — first custody row goes in now.
- begin the path below.
the path
1. insulin pump log forensic analyzer
medtronic / tandem csv export. parses bolus deliveries, basal rate changes, occlusion alarms, and remote-config events tied to session timestamps.why first: dose integrity starts at the pump — unauthorized basal or bolus changes are patient-safety events, not data theft.
2. philips intellivue monitor alarm log forensic analyzer
intellivue alarm export. surfaces arrhythmia alerts, threshold edits, alarm silence windows, and nurse-ack gaps across the bedside session.why second: alarm suppression hides clinical deterioration — the silence window often predates the reported adverse event.
3. medical device udi tracking log forensic analyzer
udi scan + inventory export. maps implant lot, serial, location chain, and swap events — flags devices present on unit without matching intake record.why third: swapped or unregistered hardware is a common vector for config tamper — udi chain proves which physical unit produced the logs.
4. hipaa break glass access log forensic analyzer
break-glass / emergency access export. parses reason codes, patient context, approver identity, and session duration for override events.why fourth: break-glass is legitimate until it isn't — correlate override sessions to device config changes and alarm silences on the same patient.
5. log authenticity scorer
exported device or audit log text. scores out-of-order timestamps, mixed line endings, and injection markers against expected vendor format.why fifth: vendors re-export logs after incidents — authenticity flags go to biomed and counsel before you cite dose or alarm counts.
6. case report generator
structured case metadata + hashed evidence files. produces a defensible pdf timeline with examiner, collection dates, and finding summaries.why last: device tamper cases face fda, risk management, and patient-safety review — the report bundle is what survives the handoff.
cross-correlation
after the path, drop every csv/json export into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted view across dose change, alarm silence, break-glass override, and UDI swap — the override session should sit next to the threshold edit row, not in separate vendor portals. then run device serials, session ids, and log file hashes through fatcousin-cross-export-ioc-hash-correlator to catch the same unit id in pump export and monitor log before biomed cites dose counts. still zero upload.
reference investigation
synthetic fixture pending — reference pack with pump dose anomaly, intellivue alarm silence window, udi swap mismatch, break-glass override correlation, and re-exported log authenticity flags will ship in a follow-up milestone. compare output via npm run check:flagship once published.
case playbook: case type tools