The recent cyber incident involving ChipSoft has put a sensitive question back on the boardroom agenda of Dutch healthcare organisations: who is really in control of patient data?

Electronic Health Record systems, or EHR systems, are among the most critical digital assets in healthcare. They contain highly sensitive personal and medical information, support daily clinical workflows and connect hospitals, general practitioners, laboratories, pharmacies and other care providers. When such systems, platforms or integrations are disrupted, the impact is not merely technical. It directly affects continuity of care, patient trust, privacy obligations and operational resilience.

For me, this is not an abstract topic.

My father used to run his own medical practice. Over time, that practice grew into a hospital. From a young age, I saw how much attention went into improving care, increasing safety and making sure patients could rely on the organisation around them. That mindset has always stayed with me: healthcare is never finished. It is a continuous effort to improve quality, safety and trust.

Today, my brothers continue that work. They are involved in that hospital and six other hospitals. As a family, we speak about healthcare operations, systems, risks and improvement almost daily. And because they also use ChipSoft, the recent incident was not just another news item. It became a very real reminder of how dependent healthcare has become on a small number of critical digital systems.

In the Netherlands, this discussion is increasingly linked to a broader strategic theme: digital sovereignty.

The sovereignty issue in Dutch healthcare

Dutch healthcare depends heavily on a limited number of EHR suppliers. ChipSoft, with its HiX platform, and Epic are dominant players in the hospital sector. This concentration creates efficiency and standardisation benefits, but it also introduces systemic risk. If a dominant supplier is disrupted, many healthcare organisations may be affected at the same time.

That is exactly why digital sovereignty is no longer a theoretical policy debate. It is about control over critical data, control over operational continuity, and control over the technology stack that supports vital public services.

The issue becomes even more complex when healthcare data is processed, stored or supported through large non-European cloud providers. The Dutch Data Protection Authority has warned healthcare executives that processing health data in the cloud does not transfer accountability to the cloud provider. The healthcare organisation remains responsible for lawful, secure and controlled processing of personal health data. The AP also stresses the importance of risk assessments, supplier checks and strong governance around cloud use in healthcare.

This is the uncomfortable truth: outsourcing technology does not mean outsourcing responsibility.

The ChipSoft incident: a wake-up call, not a verdict

In April 2026, ChipSoft confirmed it had been hit by a ransomware attack. As a precaution, connections to several services, including Zorgportaal, HiX Mobile and Zorgplatform, were switched off. ChipSoft also stated that it worked with Z-CERT, the Dutch cybersecurity expertise centre for healthcare.

Several sources reported that the incident affected healthcare organisations beyond a single provider environment. LHV reported that forensic investigation showed that personal data of patients, including medical data, had been stolen from, among others, general practitioners. Other reporting indicated that multiple hospitals and healthcare organisations took precautionary measures, including taking portals offline.

It is important to be precise here. A cyber incident does not automatically prove that a supplier failed to comply with ISO standards, NEN 7510, GDPR, NIS2-related obligations or other cybersecurity requirements. Even well-controlled organisations can be attacked.

But it does raise legitimate governance questions.

• Was risk management sufficiently mature?
• Were supplier dependencies fully understood?
• Were continuity scenarios tested?
• Was logging, monitoring and incident response effective?
• Could healthcare organisations independently assess their own exposure?
• Were contractual, technical and organisational controls demonstrably in place?
• And most importantly: could boards prove that they were in control before, during and after the incident?

That last question matters. In regulated environments, compliance is not just about having policies. It is about being able to demonstrate that controls work in practice.

EHDS will raise the bar for EHR systems

The European Health Data Space regulation will further increase expectations for healthcare data governance. The EHDS aims to create a common European framework for the use and exchange of electronic health data. It gives citizens more access to and control over their health data and supports secure reuse of health data for research, policy and innovation.

For EHR systems, this means that interoperability, logging and secure data exchange will become even more important. The EHDS introduces a stronger European framework for EHR systems and digital health services, including requirements around interoperability and access to electronic health data.

This creates a dual challenge for healthcare organisations and suppliers.

They need to become more open and interoperable.

At the same time, they need to become more secure, auditable and sovereign.

That is not easy. Interoperability increases connectivity. Connectivity increases the attack surface. More data exchange means more governance. More reuse means more accountability.

ISO, NEN 7510 and cyber legislation are not paperwork

Healthcare organisations often treat ISO 27001, NEN 7510, GDPR, supplier management and cyber legislation as separate compliance tracks. That is a mistake.

In practice, they are connected parts of the same management system.

ISO 27001 provides the structure for information security management.

NEN 7510 translates information security requirements into the healthcare context.

GDPR defines strict obligations for personal data and special categories of personal data, including health data.

NIS2 and related Dutch cyber resilience legislation increase expectations around risk management, incident handling, supply chain security and governance.

EHDS adds requirements around health data access, interoperability and control.

Together, these frameworks point in the same direction: organisations must be able to govern digital risk continuously, not once a year before an audit.

That requires more than a certification badge. It requires a living control environment.

The real risk: assuming the supplier has it covered

Many healthcare organisations rely on their EHR supplier’s certifications, documentation and security statements. That is understandable, but not sufficient.

A supplier may be certified, but the healthcare organisation still needs to understand:

• which data is processed where;
• which subprocessors are involved;
• which integrations are active;
• which access rights exist;
• which incidents affect which patient groups;
• which controls are inherited from the supplier;
• which controls remain the responsibility of the healthcare organisation;
• how continuity is guaranteed if the supplier disconnects services;
• how evidence is collected when regulators, auditors or boards ask difficult questions.

This is where many organisations struggle. The problem is not always lack of policy. The problem is lack of operational control.

• There may be documents, but no clear control ownership.
• There may be supplier agreements, but no active supplier risk register.
• There may be audit reports, but no management dashboard.
• There may be incident procedures, but no tested recovery scenario.
• There may be ISO certification, but no real-time view of readiness.

From compliance to control

The ChipSoft incident should not lead to panic. It should lead to maturity.

Healthcare organisations need to move from passive compliance to active control. That means building a management system that connects risks, controls, suppliers, assets, incidents, evidence, actions and management review.

For EHR systems and healthcare data, such a system should answer practical questions:

• What are our critical healthcare data processes?
• Which EHR modules, portals, APIs and integrations support them?
• Which suppliers and cloud services are involved?
• Which controls protect confidentiality, integrity and availability?
• Which controls are tested?
• Where is the evidence?
• Which actions are overdue?
• Which risks are accepted by management?
• Which dependencies are strategic, operational or unacceptable?
• What happens when a supplier is unavailable?
• Can we prove this to the board, the auditor, the AP or another supervisory authority?

This is not bureaucracy. This is digital resilience.

Why ISO Ready exists

At Oosterwal Consultancy, we see that many organisations do not fail because they lack awareness. They fail because the control system around compliance becomes fragmented.

• Policies live in SharePoint.
• Risks live in Excel.
• Actions live in email.
• Supplier evidence is scattered across folders.
• Audit findings are tracked separately.
• Management review happens too late.

ISO Ready was created to help organisations bring structure to this complexity.

It provides a practical, lightweight way to manage ISO readiness, controls, risks, actions, evidence and audit preparation in one place. The goal is not to create more compliance work. The goal is to make compliance visible, manageable and actionable.

For healthcare, EHR-dependent organisations and other regulated sectors, this is becoming increasingly important. The question is no longer whether you have documents. The question is whether you can demonstrate control when it matters.

The boardroom question

The next time an EHR supplier, cloud provider or digital platform is disrupted, boards should not have to ask: “Do we know whether we are exposed?”

They should already know.

Digital sovereignty is not only about choosing European technology. It is about knowing where your data is, who controls it, which risks you accept, which controls are effective and how quickly you can respond when something goes wrong.

In healthcare, that is not optional.

It is part of responsible digital leadership.