Baxter 2021 Corporate Responsibility Report 51 Cross-Cutting Commitments Corporate Responsibility Commitment Introduction 2030 Corporate Responsibility Goals Empower Our Patients Protect Our Planet Champion Our People and Communities Appendix Relevant Policies and Standards ` Global Privacy Policy (internal): Defines our privacy standards and guides our global operations to follow consistent controls for protecting personal information ` Global Privacy Policy (external): Describes how we may collect and use the information of customers and others with whom we interact ` Digital Security Policy (internal): Outlines our approach to information security and the standards we require employees and suppliers to follow Baxter is committed to respecting the privacy of our employees, patients and customers and protecting the security of our infrastructure and products. This commitment is reinforced through executive oversight, policies and standards, and mandatory employee training. We monitor global regulations closely, including relevant developments and actions related to the EU General Data Protection Regulation, recently introduced laws in China related to privacy and data protection, and other requirements in the places we do business. In addition to external regulations, we hold ourselves accountable to our own rigorous internal policies and standards. Management and oversight of Privacy and IT security is a priority for Baxter leadership. Our Information Risk Committee, co-led by our Chief Privacy Officer and our Chief Information Security Officer, ensures Baxter’s privacy and security efforts are aligned with the company’s broader business initiatives and that our business leaders are aware of changing regulatory or technical risks. In addition, two separate committees of our Board of Directors oversee our IT security program strategy and efficacy and receive regular updates. The Audit Committee provides oversight for IT security matters generally (including cybersecurity incidents) and the Quality, Compliance and Technology Committee provides oversight for product cybersecurity matters. In response to growing and changing cyber threats, we continually assess and strengthen our cyber defenses and response capabilities. The Global IT Security Operations team helps to protect Baxter against cyberattacks using a range of defenses that help to secure our assets, reduce detection time and improve recoverability. We conduct routine exercises with business stakeholders and third-party responders to promote awareness and improve processes. In addition, post-incident review meetings and reports provide insight into how we can update our response strategies. Our threat hunting process helps to protect our systems against evolving security threats, and we conduct risk-based reviews and due diligence monitoring through our Governance Risk and Compliance program. To further strengthen cybersecurity across our network and portfolio of Baxter and Hillrom products, Baxter became a Common Vulnerability and Exposures (CVE) Numbering Authority in early 2022. The CVE program is sponsored by the Cybersecurity and Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security and aims to enable the rapid identification and resolution of cybersecurity issues. In addition, Baxter is a member of the Health Information Sharing and Analysis Center, which we leverage to inform risk-based decisions and share best practices with other cybersecurity professionals in the healthcare industry. Our customers can access our online Product Security summary to learn about security vulnerabilities that might affect Baxter products. In addition, Baxter has Brand Indicators for Message Identification (BIMI). BIMI adds an extra layer of authentication to emails and displays our logo in recipients’ inboxes. This helps customers and healthcare professionals have confidence that the emails they receive from Baxter are genuine and not from fraudulent parties. We continue to raise privacy and security awareness with all Baxter users through annual mandatory training 1 and recurring reinforcement through virtual events and updated materials. We require multifactor authentication and an always-on virtual private network (VPN) system to provide additional safeguards for our employees working remotely. In addition, our Third Party Risk Management program includes assessment and monitoring of security standards and control procedures for critical external suppliers. Privacy and Data Protection BAXTER DIGITAL SECURITY CERTIFICATIONS All information Baxter collects and uses is handled in a secure manner. We align with and/or have obtained certifications for the following internal systems, products and services. SCOPE * CERTIFICATIONS AND ALIGNMENT INTERNAL SYSTEMS Enterprise and internally developed systems environment • These systems are formally aligned to and internally audited against Baxter’s Digital Security Controls Framework. This framework aligns with NIST 800-53 controls. • We align our data security controls with additional industry standard control frameworks and regulatory requirements. • Baxter’s cloud service providers and data center colocation providers are certified against multiple standards, including SOC 2 Availability certification. PRODUCTS PrisMax v3 DCM v1.3.5 • UL 2900 Certification SERVICES Sharesource connectivity platform • ISO 27001 Certification • French HDH Certification Novum IQ Dose IQ Corporate Responsibility Commitment Introduction 2030 Corporate Responsibility Goals Empower Our Patients Protect Our Planet Champion Our People and Communities Appendix Cross-Cutting Commitments * Not all products listed are available in all or any geographies and proposed certifications for these products may be subject to change prior to regulatory approval or launch.