Product Security

Product Security

In support of our mission to save and sustain lives, we take product security seriously. 

Jump to

Product Security Bulletins and Additional Resources

Product Security Bulletins

Life2000 Ventilation System – ICS Advisory (ICSMA-24-319-01)

Learn More >

Baxter Connex Health Portal Vulnerabilities

Learn More >

Connex Spot Monitor - ICS Advisory (ICSMA-24-74-X)

Learn More>

Baxter (Welch Allyn) Product Configuration Tool Vulnerability

Learn More >

ConnectWise Vulnerabilities

Learn More >

Vulnerability in Mirth Connect

Learn More >

Spectrum V6, V8, V9 – ICS Advisory (ICSMA-22-251-01)

Learn More >

Axeda agent and Axeda Desktop Server for Windows

Learn More >

Apache Log4j Vulnerability

Learn More >

ExactaMix – CERT/CC Vulnerability Note (VU#383432) – PrintNIghtmare

Learn More >

ExactaMix – ICS Advisory (ICMSA-20-170-01)

Learn More >

Prismaflex – ICS Advisory (ICSMA-20-170-02)

Learn More >

PrisMax – ICS Advisory (ICSMA-20-170-02)

Learn More >

Phoenix – ICS Advisory (ICSMA-20-170-03)

Learn More >

Spectrum V6, V8, V9 – ICS Advisory (ICSMA-20-170-04)

Learn More >

Treck TCP/IP Stack (Ripple 20) Vulnerabilities (ICSA-20-168-01)

Learn More - PrisMax >

Learn More - Spectrum >

Critical Vulnerabilities in Microsoft Windows Operating Systems (AA20-014A)

Learn More >

SweynTooth Vulnerabilities – No Impact to Baxter Products

Learn More >

ExactaMix – Multiple Windows SMB Remote Code Execution Vulnerabilities

Learn More >

ExactaMix – Microsoft Security Advisory for CVE-2019-0708 "Remote Desktop Services, Remote Code Execution Vulnerability."

Learn More >

Sigma Spectrum Infusion System Vulnerabilities ICS Advisory (ICSA-15-181-01)

Learn More >

IPnet and VxWorks Urgent/11 Advisory – No Impact to Baxter Products

Learn More >

Request a Document

To request the Baxter document(s) listed below, click and submit your request along with your business contact information (i.e. Your Name, Role, Company, Address, Phone Number) or contact your Baxter service representative.

Email request for ExactaMix Cybersecurity Guide

Product Security Questions

Customers with a specific question about any Baxter product can reach out to [email protected] or contact their Baxter service representative.

Global Privacy Policy

Baxter has established a Global Privacy Policy to reflect the foregoing principles which are a key part of Baxter company culture and operations.

 

Team Collaboration

 

Baxter's Coordinated Vulnerability Disclosure Process

Baxter’s mission is to save and sustain lives. Fundamental to our mission and strategy, we are committed to designing, manufacturing, and maintaining safe and secure medical devices. We also know that cybersecurity threats and vulnerabilities change rapidly. Therefore, we are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process outlined below.

Scope

Baxter created this coordinated disclosure process for security researchers to report potential vulnerabilities related to Baxter’s commercially available products.  It is not meant for technical support information on Baxter products or for reporting Adverse Events or Product Quality Complaints. For all of these other matters please visit for the appropriate reporting channel: https://www.baxter.com/contact-and-support/contact.page.

How to submit

If you have discovered a potential vulnerability related to a Baxter product, we ask you to contact us in English at [email protected]. Please encrypt your email using our GPG (GnuPG) public key.

Please include the following information:

  • Contact information so we can get in touch with you.  (name, organization, email address and phone number).
  • Whether you believe multiple vendors are affected
  • When and where the vulnerability was discovered
  • Technical description of the vulnerability and environment in which it was discovered
  • Name, version, and configuration details of the affected product
  • Specific impact and how you envision this vulnerability could be used in an attack
  • Information about the tools and techniques you used to discover this vulnerability
  • Any proof of concept or exploit code
  • Any indications of the vulnerability being exploited
  • Prior or intended disclosure of vulnerability information to other parties (e.g. regulators, vulnerability coordinators, vendors)

Please do not include any personal information, such as sensitive/health information.  

What Baxter will do

  • We will acknowledge receipt of the report within 7 days.
  • We will escalate the report to appropriate team to verify and reproduce the reported vulnerability. You may be contacted during this time to support our verification efforts.
  • We will evaluate the reported vulnerability and conduct a risk analysis to determine appropriate action to take.
  • If Baxter determines the issue warrants disclosure, we will publish notification on this page, and we will report it to the appropriate external parties such as Cyber Emergency Response Teams (CERTs) and Information Sharing and Analysis Organizations (ISAOs).

Additional information For Security Researchers:

Please only conduct testing in secure environments, which comply with the following:

  • All laws and regulations
  • Avoiding any testing that could hurt patients, cause a privacy issue, or damage equipment
  • Avoiding testing on devices in use or software that is in a production environment
  • Avoiding actions taken to exploit any vulnerability
  • Avoiding action that could make changes to a product or system after the test is completed

Notice:

By submitting information through this process, you agree that it will be considered non-proprietary and non-confidential, and that Baxter is allowed to use the information in any manner, in whole or in part, without any restriction.  You also agree that submitting such information does not create any rights for you or any obligations for Baxter.

Dedicated Team

We have a dedicated team that is committed to and passionate about ensuring our products are safe and secure for their intended clinical use.  We have developed our products with cybersecurity controls integrated into the design, using a Common Cybersecurity Control Framework for Medical Devices which takes into consideration industry-leading standards, regulations, and guidance documents. While we have focused resources on developing safe and secure products, we know that the cybersecurity threat landscape changes every day. Baxter prides itself on being responsive and transparent with our customers about cybersecurity.

We are proud to have a global team of cybersecurity professionals that are dedicated to product security. Our team members are passionate about security and care about the safety of our patients. There are dedicated resources that support both the secure development of new products and the sustained maintenance of our fielded devices. We know cybersecurity is a dynamic field and we are committed to protecting our patients throughout the entire product lifecycle.

We are proud to have dedicated Business Information Security Officers (BISO) for each of our business units. The BISOs bring a wealth of experience and knowledge, to serve as a trusted advisor for our business and product leaders. This allows cybersecurity to be integrated into everything we do. There are also dedication cybersecurity engineers that support specific products during their development to work through the specific product security requirements. Last but not least, we have dedicated resources that conduct thorough cybersecurity risk management procedures that are consistent with our high-standard of product risk management.

Cybersecurity Design

We have proudly developed a Cybersecurity Common Controls Framework for Medical Devices (C3FMD). The intent of the Cybersecurity Common Controls Framework (C3FMD) is to provide a consistent and common cybersecurity controls framework that addresses the above security concerns for medical device design and engineering, that is based on industry standards and best practices, is comprehensive in its security coverage, and that addresses the demands of a rapidly evolving cybersecurity landscape. In the C3FMD, cybersecurity is driven first and foremost by patient health and safety concerns.

It is critical to ensure that any medical devices impacting patient health and safety are operated, deployed and managed in a safe, secure and reliable manner. This framework ensure that our products are developed consistently with cybersecurity capabilities built into the medical device. C3FMD covers the following key categories of controls: authentication, authorization, access controls, audit, and cryptography. This framework is a prescribed set of baseline cybersecurity controls which enhance the security posture and reduce the risk of compromise against target medical devices.

Responsive & Transparent

We are committed providing transparent information to our customers about product security. In an effort to share information, we provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2), from the National Electrical Manufacturers Association and the Healthcare Information and Management System Society, which contains important cybersecurity design features such as:

  • Audit Controls
  • Authorization
  • Data Backup and Disaster Recovery
  • Malware Detection/ Protection
  • System and Application Hardening
  • Transmission Confidentiality and Integrity

In addition to the information provided in the MDS2, we provide cybersecurity information in our user manuals and customer communications. For any further inquiries, customers can feel free to work with their sales or service representatives.

Partnerships

The healthcare ecosystem is increasingly complex and interconnected. In order to protect patients and ensure our products are safe and secure, the entire healthcare industry has to work closely together. To achieve greater security, we value the relationships and partnerships it maintains across the healthcare ecosystem. We are proud of all the thought leaders that make up our product security team. There are several organizations that we work with to gather and share cyber information, such as:

  • National Health Information Sharing and Analysis Center (NH-ISAC)
  • Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
  • Advanced Medical Technology Association (AdvaMed)
  • Association for the Advancement of Medical Instrumentation (AAMI)
  • Homeland Security Information Network (HSIN)
  • Medical Device Innovation, Safety, and Security Consortium (MDISS)
  • Medical Device Security Information Sharing Council (MDSISC)
  • Medical Device Innovation Consortium (MDIC)