In support of our mission to save and sustain lives, we take product security seriously.
- Product Security Bulletins and Additional Information
- Coordinated Vulnerability Disclosure Process
- Dedicated Team
- Cybersecurity Design
- Responsive and Transparent
Product Security Bulletins and Additional Resources
For the latest product security bulletins, please check our global website at https://www.baxter.com/product-security
Request a Document
To request the Baxter document(s) listed below, click and submit your request along with your business contact information (i.e. Your Name, Role, Company, Address, Phone Number) or contact your Baxter service representative.
Product Security Questions
Customers with a specific question about any Baxter product can reach out to [email protected] or contact their Baxter service representative.
Baxter's Coordinated Vulnerability Disclosure Process
Baxter’s mission is to save and sustain lives. Fundamental to our mission and strategy, we are committed to designing, manufacturing, and maintaining safe and secure medical devices. We also know that cybersecurity threats and vulnerabilities change rapidly. Therefore, we are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process outlined below.
Baxter created this coordinated disclosure process for security researchers to report potential vulnerabilities related to Baxter’s commercially available products. It is not meant for technical support information on Baxter products or for reporting Adverse Events or Product Quality Complaints. For all of these other matters please visit our contact us page.
How to submit
If you have discovered a potential vulnerability related to a Baxter product, we ask you to contact us in English at [email protected]. Please encrypt your email using our GPG (GnuPG) public key.
Please include the following information:
- Contact information so we can get in touch with you. (name, organization, email address and phone number).
- Whether you believe multiple vendors are affected
- When and where the vulnerability was discovered
- Technical description of the vulnerability and environment in which it was discovered
- Name, version, and configuration details of the affected product
- Specific impact and how you envision this vulnerability could be used in an attack
- Information about the tools and techniques you used to discover this vulnerability
- Any proof of concept or exploit code
- Any indications of the vulnerability being exploited
- Prior or intended disclosure of vulnerability information to other parties (e.g. regulators, vulnerability coordinators, vendors)
Please do not include any personal information, such as sensitive/health information.
What Baxter will do
- We will acknowledge receipt of the report within 7 days.
- We will escalate the report to appropriate team to verify and reproduce the reported vulnerability. You may be contacted during this time to support our verification efforts.
- We will evaluate the reported vulnerability and conduct a risk analysis to determine appropriate action to take.
- If Baxter determines the issue warrants disclosure, we will publish notification on this page, and we will report it to the appropriate external parties such as Cyber Emergency Response Teams (CERTs) and Information Sharing and Analysis Organizations (ISAOs).
Additional information For Security Researchers:
Please only conduct testing in secure environments, which comply with the following:
- All laws and regulations
- Avoiding any testing that could hurt patients, cause a privacy issue, or damage equipment
- Avoiding testing on devices in use or software that is in a production environment
- Avoiding actions taken to exploit any vulnerability
- Avoiding action that could make changes to a product or system after the test is completed
By submitting information through this process, you agree that it will be considered non-proprietary and non-confidential, and that Baxter is allowed to use the information in any manner, in whole or in part, without any restriction. You also agree that submitting such information does not create any rights for you or any obligations for Baxter.
We have a dedicated team that is committed to and passionate about ensuring our products are safe and secure for their intended clinical use. We have developed our products with cybersecurity controls integrated into the design, using a Common Cybersecurity Control Framework for Medical Devices which takes into consideration industry-leading standards, regulations, and guidance documents. While we have focused resources on developing safe and secure products, we know that the cybersecurity threat landscape changes every day. Baxter prides itself on being responsive and transparent with our customers about cybersecurity.
We are proud to have a global team of cybersecurity professionals that are dedicated to product security. Our team members are passionate about security and care about the safety of our patients. There are dedicated resources that support both the secure development of new products and the sustained maintenance of our fielded devices. We know cybersecurity is a dynamic field and we are committed to protecting our patients throughout the entire product lifecycle.
We are proud to have dedicated Business Information Security Officers (BISO) for each of our business units. The BISOs bring a wealth of experience and knowledge, to serve as a trusted advisor for our business and product leaders. This allows cybersecurity to be integrated into everything we do. There are also dedication cybersecurity engineers that support specific products during their development to work through the specific product security requirements. Last but not least, we have dedicated resources that conduct thorough cybersecurity risk management procedures that are consistent with our high-standard of product risk management.
We have proudly developed a Cybersecurity Common Controls Framework for Medical Devices (C3FMD). The intent of the Cybersecurity Common Controls Framework (C3FMD) is to provide a consistent and common cybersecurity controls framework that addresses the above security concerns for medical device design and engineering, that is based on industry standards and best practices, is comprehensive in its security coverage, and that addresses the demands of a rapidly evolving cybersecurity landscape. In the C3FMD, cybersecurity is driven first and foremost by patient health and safety concerns.
It is critical to ensure that any medical devices impacting patient health and safety are operated, deployed and managed in a safe, secure and reliable manner. This framework ensure that our products are developed consistently with cybersecurity capabilities built into the medical device. C3FMD covers the following key categories of controls: authentication, authorization, access controls, audit, and cryptography. This framework is a prescribed set of baseline cybersecurity controls which enhance the security posture and reduce the risk of compromise against target medical devices.
Responsive & Transparent
We are committed providing transparent information to our customers about product security. In an effort to share information, we provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2), from the National Electrical Manufacturers Association and the Healthcare Information and Management System Society, which contains important cybersecurity design features such as:
- Audit Controls
- Data Backup and Disaster Recovery
- Malware Detection/ Protection
- System and Application Hardening
- Transmission Confidentiality and Integrity
In addition to the information provided in the MDS2, we provide cybersecurity information in our user manuals and customer communications. For any further inquiries, customers can feel free to work with their sales or service representatives.
The healthcare ecosystem is increasingly complex and interconnected. In order to protect patients and ensure our products are safe and secure, the entire healthcare industry has to work closely together. To achieve greater security, we value the relationships and partnerships it maintains across the healthcare ecosystem. We are proud of all the thought leaders that make up our product security team. There are several organizations that we work with to gather and share cyber information, such as:
- National Health Information Sharing and Analysis Center (NH-ISAC)
- Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
- Advanced Medical Technology Association (AdvaMed)
- Association for the Advancement of Medical Instrumentation (AAMI)
- Homeland Security Information Network (HSIN)
- Medical Device Innovation, Safety, and Security Consortium (MDISS)
- Medical Device Security Information Sharing Council (MDSISC)
- Medical Device Innovation Consortium (MDIC)