// reference investigation

cedar-medical-device-tamper — insulin pump config change + alarm suppression

Cedar Valley Hospital case CVH-2026-0318 — Medtronic MiniMed 770G pump for patient BED-412 received an unauthorized basal rate config push at 02:17 UTC · alarm suppression window of 4h 22m correlates with an ADT event that should have triggered clinical alert · HIPAA break-glass access log shows a service account accessing patient vitals outside a care window. Fully synthetic.

what this proves

every primary engine produces deterministic, fixture-locked output — verified by npm run check:flagship (6/6).
every output is generated 100% locally in your browser — no upload, no server-side processing of your evidence.
the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.

primary engines locked to this fixture

build the case binder

one click runs all primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. Compare your local runs against the published goldens.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from scripts/fixtures/build-cedar-medical-device-tamper.mjs. seed: cedar-medical-device-tamper:v1.

methodology

medical device tamper cases pivot on the config push timestamp and the alarm suppression window. the insulin pump log establishes the 02:17 UTC basal rate change; the monitor alarm log confirms the 4h 22m suppression window; the UDI tracking log verifies the device identity chain. the HIPAA break-glass access log closes the loop — the service account access outside the care window is the unauthorized access artifact that triggers the chain-of-custody requirement. read the full medical device tamper / clinical IoT guide →

after the playbook

export findings from each primary engine, then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timeline across config push, alarm suppression onset, ADT event, and break-glass access — still zero upload.

methodology article device tamper playbook forensics home

cedar-medical-device-tamper — insulin pump config change + alarm suppression

what this proves

every primary engine produces deterministic, fixture-locked output — verified by npm run check:flagship (6/6).

every output is generated 100% locally in your browser — no upload, no server-side processing of your evidence.

the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.

build the case binder

one click runs all primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. Compare your local runs against the published goldens.

built deterministically from scripts/fixtures/build-cedar-medical-device-tamper.mjs. seed: cedar-medical-device-tamper:v1.

methodology

medical device tamper cases pivot on the config push timestamp and the alarm suppression window. the insulin pump log establishes the 02:17 UTC basal rate change; the monitor alarm log confirms the 4h 22m suppression window; the UDI tracking log verifies the device identity chain. the HIPAA break-glass access log closes the loop — the service account access outside the care window is the unauthorized access artifact that triggers the chain-of-custody requirement. read the full medical device tamper / clinical IoT guide →