In support of our mission to save and sustain lives, we take product security seriously.
We have a dedicated team that is committed to and passionate about ensuring our products are safe and secure for their intended clinical use. We have developed our products with cybersecurity controls integrated into the design, using a Common Cybersecurity Control Framework for Medical Devices which takes into consideration industry-leading standards, regulations, and guidance documents. While we have focused resources on developing safe and secure products, we know that the cybersecurity threat landscape changes every day. Baxter prides itself on being responsive and transparent with our customers about cybersecurity.
We are proud to have a global team of cybersecurity professionals that are dedicated to product security. Our team members are passionate about security and care about the safety of our patients. There are dedicated resources that support both the secure development of new products and the sustained maintenance of our fielded devices. We know cybersecurity is a dynamic field and we are committed to protecting our patients throughout the entire product lifecycle.
We are proud to have dedicated Business Information Security Officers (BISO) for each of our business units. The BISOs bring a wealth of experience and knowledge, to serve as a trusted advisor for our business and product leaders. This allows cybersecurity to be integrated into everything we do. There are also dedication cybersecurity engineers that support specific products during their development to work through the specific product security requirements. Last but not least, we have dedicated resources that conduct thorough cybersecurity risk management procedures that are consistent with our high-standard of product risk management.
We have proudly developed a Cybersecurity Common Controls Framework for Medical Devices (C3FMD). The intent of the Cybersecurity Common Controls Framework (C3FMD) is to provide a consistent and common cybersecurity controls framework that addresses the above security concerns for medical device design and engineering, that is based on industry standards and best practices, is comprehensive in its security coverage, and that addresses the demands of a rapidly evolving cybersecurity landscape. In the C3FMD, cybersecurity is driven first and foremost by patient health and safety concerns.
It is critical to ensure that any medical devices impacting patient health and safety are operated, deployed and managed in a safe, secure and reliable manner. This framework ensure that our products are developed consistently with cybersecurity capabilities built into the medical device. C3FMD covers the following key categories of controls: authentication, authorization, access controls, audit, and cryptography. This framework is a prescribed set of baseline cybersecurity controls which enhance the security posture and reduce the risk of compromise against target medical devices.
Responsive & Transparent
We are committed providing transparent information to our customers about product security. In an effort to share information, we provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2), from the National Electrical Manufacturers Association and the Healthcare Information and Management System Society, which contains important cybersecurity design features such as:
- Audit Controls
- Data Backup and Disaster Recovery
- Malware Detection/ Protection
- System and Application Hardening
- Transmission Confidentiality and Integrity
In addition to the information provided in the MDS2, we provide cybersecurity information in our user manuals and customer communications. For any further inquiries, customers can feel free to work with their sales or service representatives.
The healthcare ecosystem is increasingly complex and interconnected. In order to protect patients and ensure our products are safe and secure, the entire healthcare industry has to work closely together. To achieve greater security, we value the relationships and partnerships it maintains across the healthcare ecosystem. We are proud of all the thought leaders that make up our product security team. There are several organizations that we work with to gather and share cyber information, such as:
- National Health Information Sharing and Analysis Center (NH-ISAC)
- Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
- Advanced Medical Technology Association (AdvaMed)
- Association for the Advancement of Medical Instrumentation (AAMI)
- Homeland Security Information Network (HSIN)
- Medical Device Innovation, Safety, and Security Consortium (MDISS)
- Medical Device Security Information Sharing Council (MDSISC)
- Medical Device Innovation Consortium (MDIC)
Announcements and Additional Resources
Product Security Bulletin: Remote Desktop Services
Microsoft Security Advisory for CVE-2019-0708 "Remote Desktop Services, Remote Code Execution Vulnerability."
Request a Document
To request the Baxter document(s) listed below, click and submit your request along with your business contact information (i.e. Your Name, Role, Company, Address, Phone Number) or contact your Baxter service representative.
Product Security Questions
Customers with a specific question about any Baxter product can reach out to [email protected] or contact their Baxter service representative.