Information Security and Cybersecurity

Protecting Personal Information

Baxter recognizes and respects the rights of patients, employees and healthcare professionals with regard to their personal information. The company obtains personal information only in a lawful and ethical manner, and uses, processes, stores, and/or retains personal information only for legitimate business purposes and only as permitted by applicable law.

To establish security safeguards, Baxter maintains a Global Privacy Office to address three major areas of privacy: patient personal and health information; employee personal information; and personal information managed by the company’s service providers.

Baxter has established a Global Privacy Policy to reflect the foregoing principles which are a key part of Baxter company culture and operations. All Baxter employees are required to complete an online training course on the Policy to ensure they understand the Policy and their responsibility to adhere to it.

Baxter’s Global Privacy Program was developed with reference to relevant international regulations including the U.S. Health Insurance Portability and Accountability Act (HIPAA), Canada Personal Information Protection and Electronic Documents Act (PIPEDA), European Union Data Protection Compliance and Global Data Transfer programs, and further aligns with concepts and requirements from the European Union’s Data Protection Directive (95/46/EC) and the U.S. Department of Commerce’s Safe Harbor Privacy Principles among other regional laws. Also, it is intended to be consistent with the framework of the American Institute of Certified Public Accountants (AICPA) Generally Accepted Privacy Principles (GAPP) and APEC Privacy Framework.

Alignment with Recognized Standards

Baxter’s Global Information Technology (IT) function is continually seeking to design cybersecurity programs and monitor best practices to secure information, support cybersecurity and information protection efforts and works with Baxter's Global Privacy Office to support data privacy initiatives.

The foundation of Baxter’s Information Security Program (the IPP) is based on standards adopted by the Information Security Forum (ISF), an independent, not-for-profit organization considered the leading authority on cybersecurity, information security and risk management. The ISF Standard of Good Practice for Information Security is considered by many to be one of the most comprehensive information security standards in the world, covering a broad spectrum of information security arrangements and presenting security best practices in practical and clear statements.

Baxter’s IPP includes global policies, organizational awareness mechanisms and compliance systems, and enforces appropriate use and protection of the company’s information and technology. The company has made significant investment in people, process and technology to address the ever-present risk of cyber-attack and data loss. This includes advanced threat detection and security analytics technologies within Baxter’s network.

Actively Monitoring Industry-Wide Security Practices

Baxter is an active participant in information-sharing activities intended to enhance its understanding and approach to cybersecurity, including:

  • Collaborating with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)—a division of the Department of Homeland Security’s Office of Cybersecurity and Communications—on reported vulnerabilities.
  • Actively participating with the National Health – Information Sharing Analysis Center (NH-ISAC), which is focused on cybersecurity prevention, protection, mitigation and response on behalf of the national healthcare industry. As a member, Baxter further benefits from NH-ISAC situational awareness and intelligence, information sharing, sector and cross-sector impact analysis, incident response, leading practices and workforce education.
  • Partnering with customers who are pioneers and leaders in healthcare cybersecurity to jointly evaluate best cybersecurity practices; insights gained through this initiative are shared with Baxter Research & Development and IT teams to enhance current cybersecurity efforts and inform future system requirements.

Adherence to Cybersecurity Requirements

In support to our mission of saving and sustaining lives, Baxter has invested in a dedicated medical device cybersecurity organization with the focus of assuring the availability of our devices, integrity of therapies and services on our devices, and confidentiality of our patients information.

To enhance the security of our devices and to comply with recently published FDA Guidance on Cybersecurity, Baxter follows a framework of cybersecurity standards and best practices developed by the National Institute of Standards and Technology (NIST)—a federal agency within the U.S. Department of Commerce—that conducts and publishes research on improved techniques for protecting data, information and systems from cyber-attack. The NIST cybersecurity framework rests upon five high-level functions:

  1. Identify: As an organization, recognize and understand how to manage cybersecurity risks
  2. Protect: Deploy cybersecurity safety measures designed to prevent or limit the impact of potential cybersecurity attacks
  3. Detect: Put into place monitoring and systems that allow Baxter to quickly discover cybersecurity threats and attacks
  4. Respond: When a potential cybersecurity threat or attack is detected, take appropriate action to mitigate or contain the event
  5. Recover: Prepare plans and systems to facilitate a prompt recovery to normal operations after a potential cyber-attack

Baxter incorporates cybersecurity protocols into product development, risk assessments, regulatory submissions and ongoing testing processes for its products, which are intended to reflect:

  • FDA and international regulatory guidelines and requirements for medical device cybersecurity, functionality, safety and privacy, including United States HIPAA, Health Information Technology for Economic and Clinical Health Act (HITECH) and FDA 21 CFR Part 11 requirements; European Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC.
  • Recognized consensus standards for information technology and medical device security set by leading not-for profit authorities, including:
    • Clinical & Laboratory Standards Institute (CLSI), which develops consensus-based clinical laboratory standards for improving testing quality, safety and efficiency
    • International Electrotechnical Commission (IEC), the world’s leading organization that prepares and publishes international standards for all electrical, electronic and related technologies
    • Association for the Advancement of Medical Instrumentation (AAMI), the primary source of consensus standards for the medical device industry
    • American National Standards Institute (ANSI), the coordinator of the U.S. private sector, voluntary standardization system
  • Ongoing rigorous vulnerability testing of devices and software through the use of internal and third-party experts.