When the Supplier Is the Single Point of Failure: The ChipSoft Attack and a Lesson for Slovak Healthcare

What happened

The Dutch healthcare CSIRT Z-CERT confirmed a ransomware incident at ChipSoft on 7 April 2026. ChipSoft operates the HiX system, which the majority of Dutch hospitals use for medical records, patient scheduling, laboratory results and pharmaceutical distribution. After detecting the incident, the company preventively disconnected several interconnection services, including the patient portal Zorgportaal, the HiX Mobile application and the Zorgplatform integration platform.

At least eleven hospitals subsequently disconnected from ChipSoft or limited their connectivity due to uncertainty over the scope of the attack. Among those affected were Sint Jans Gasthuis in Weert, Laurentius in Roermond, VieCuri in Venlo, Flevo in Almere, Franciscus Gasthuis in Rotterdam and Albert Schweitzer in Dordrecht. Hospitals shifted to paper-based documentation, postponed planned procedures and limited patient admissions. The Dutch Data Protection Authority was notified of the incident. On 15 April, public broadcaster NOS reported that a leak of patient data through the HIX365 platform could not be ruled out.

Why this is a critical infrastructure issue

Healthcare is a standalone sector of critical infrastructure under Act No. 367/2024 Coll. on Critical Infrastructure and, at the same time, belongs among the critically important services within the meaning of Act No. 366/2024 Coll., which transposed the NIS 2 Directive into Slovak law. The continuity of healthcare provision depends on information systems to an extent that providers themselves do not always fully perceive in their day-to-day operations. If a central hospital platform fails, the entire clinical chain is affected, from patient admission through diagnostics and laboratory results to medication dispensing.

The Dutch case illustrates a mechanism that is, in principle, transferable to any European country. This was not a direct attack on hospitals, but the compromise of a single software supplier on which dozens of institutions depend. In such an environment, dependence on a single supplier is a risk of the same order as an unencrypted communication channel or an unpatched server. The difference is that this type of risk is managed by law and by contract, not by a technical measure.

The Slovak parallel

Slovak healthcare relies on a limited number of suppliers of hospital information systems, laboratory and radiological systems and the electronic health record. The operational concentration at the level of software platforms is comparable to that of the Netherlands. At the same time, the deadlines of the legislative framework are clear: by 17 July 2026, central bodies of state administration must identify critical entities under Act No. 367/2024 Coll. and subsequently apply resilience requirements to them. The Ministry of Health, as the central authority for this sector, faces a task that also includes mapping dependencies on software suppliers and their security posture.

In this context, the December 2025 experience is also relevant, when the attack on the Ministry of Economy of the Slovak Republic confirmed that Slovak public administration is not immune to similar incidents. The framework of Act No. 366/2024 Coll. explicitly imposes, in Section 20 letter i), the obligation to manage supply chain risk, including third-party providers. The combination of dependence on critical software and the insufficiently tested resilience of those suppliers is a deferred problem that materialised in the Netherlands within a single day.

“The attack on ChipSoft is not a Dutch episode, but a reflection of a European healthcare system in which concentrated dependence on a single supplier has become a systemic vulnerability. Supply chain security under Section 20 of Act No. 366/2024 Coll. is not a formal requirement, but a test of real effectiveness at clinical level. Before the deadline of 17 July 2026, operators of healthcare infrastructure must be able to answer a simple question: if their software supplier fails today, how long can clinical operations continue and how quickly will they return to planned operation,” says Tibor Straka, President of the Critical Infrastructure Association of the Slovak Republic.

How to proceed

The lesson of the ChipSoft incident can be summarised in several practical steps, which also correspond to preparedness for the regulatory obligations that are gradually entering into force. First, operators should map software suppliers according to their criticality and the tolerable duration of their outage, with particular attention to systems such as HIS, LIS, RIS and PACS. Second, contracts with suppliers should contain specific requirements for incident notification in line with NIS 2 deadlines, as well as for the submission of security documentation, including the Software Bill of Materials (SBOM).

Third, from 11 September 2026, the obligation under the Cyber Resilience Act (CRA) takes effect. Manufacturers of products with digital elements will be required to report actively exploited vulnerabilities through the ENISA platform within 24 hours. Operators of critical infrastructure should expect their suppliers to comply with this regime even before that date. Fourth, sectoral simulations within the Resilience Strategy for Critical Entities of the SR, approved by the Government on 9 January 2026, should also include a scenario of the failure of a single key software supplier across hospitals.

The Critical Infrastructure Association of the Slovak Republic (AKI SR) provides a space for expert discussion on supply chain security and, in close cooperation with the National Security Authority, SK-CERT and other partners, helps critical infrastructure sectors translate new legislative requirements into demonstrable practice. The foundation remains the answer to the question raised by the ChipSoft incident: where in the chain of our services is the point whose failure can bring the entire system to a halt?