// reference investigation

lindqvist-medical-device-tamper — insulin pump config change + alarm suppression

Lindqvist Memorial case LMM-2026-0422 — patient RM-207 in CCU-7A: unauthorized Medtronic 770G basal push at 03:48 UTC, Philips IntelliVue alarm suppressed 3h 51m, correlated svc-biomed-api-02 break-glass at 03:41/03:48 and missed ADT alert at 03:44; hypoglycemia 48 mg/dL at 07:42. Fully synthetic.

what this proves

every primary engine produces deterministic, fixture-locked output — verified by npm run check:flagship (6/6).
every output is generated 100% locally in your browser — no upload, no server-side processing of your evidence.
the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.

primary engines locked to this fixture

build the case binder

one click runs all primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. Compare your local runs against the published goldens.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from scripts/fixtures/build-lindqvist-medical-device-tamper.mjs. seed: lindqvist-medical-device-tamper:v1.

methodology

medical device tamper cases pivot on the config push timestamp and the alarm suppression window. the insulin pump log establishes the 02:17 UTC basal rate change; the monitor alarm log confirms the 4h 22m suppression window; the UDI tracking log verifies the device identity chain. the HIPAA break-glass access log closes the loop — the service account access outside the care window is the unauthorized access artifact that triggers the chain-of-custody requirement. read the full medical device tamper / clinical IoT guide →

after the playbook

export findings from each primary engine, then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timeline across config push, alarm suppression onset, ADT event, and break-glass access — still zero upload.

methodology article device tamper playbook forensics home

lindqvist-medical-device-tamper — insulin pump config change + alarm suppression

what this proves

every primary engine produces deterministic, fixture-locked output — verified by npm run check:flagship (6/6).

every output is generated 100% locally in your browser — no upload, no server-side processing of your evidence.

the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.

build the case binder

one click runs all primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. Compare your local runs against the published goldens.

built deterministically from scripts/fixtures/build-lindqvist-medical-device-tamper.mjs. seed: lindqvist-medical-device-tamper:v1.

methodology

medical device tamper cases pivot on the config push timestamp and the alarm suppression window. the insulin pump log establishes the 02:17 UTC basal rate change; the monitor alarm log confirms the 4h 22m suppression window; the UDI tracking log verifies the device identity chain. the HIPAA break-glass access log closes the loop — the service account access outside the care window is the unauthorized access artifact that triggers the chain-of-custody requirement. read the full medical device tamper / clinical IoT guide →