Introduction
We spent several weeks talking to people inside Dutch healthcare, hospital IT advisors, clinic operators, consultants, and equipment suppliers across the Netherlands and a few neighboring countries to understand how the market actually runs and where the gaps are.
Here is what we found.
One platform, most of the country
The first thing to understand about Dutch healthcare IT: the digitization debate is over. ChipSoft HiX runs in roughly 70–80% of Dutch hospitals. For most of the country, the clinical core runs on one platform.
A consultant who works at ChipSoft put it plainly. For the larger players, it is mostly about optimization now. The clinics are past “why” and onto “how” — specifically, how to make everything talk to each other properly.
That shift changes the question entirely. Not “should we digitize?” Dutch healthcare already did. The real question became “what breaks once everything is digital and runs through one platform?”
April 2026 answered part of that.
What happened to ChipSoft
On April 7, 2026, ChipSoft, the Dutch company whose HiX platform is the electronic health record system running in 70–80% of the country’s hospitals, was hit by ransomware. Z-CERT, the Dutch healthcare cybersecurity response team, confirmed the attack the following day and began coordinating with hospitals across the country.
As a precaution, ChipSoft disabled several external services: the Zorgportaal patient portal, HiX Mobile, and the Zorgplatform data-exchange layer. Eleven hospitals temporarily disconnected ChipSoft software from their networks. Systems were reported unavailable at Sint Jans Gasthuis, Laurentius Hospital, VieCuri Medical Center, and Flevo Hospital, among others. Leiden University Medical Center postponed the rollout of a new ChipSoft EHR system.
The impact was not uniform. Hospitals running HiX on their own servers were largely unaffected, and several large hospitals confirmed as much. The institutions hit hardest were those relying on ChipSoft’s cloud-hosted and SaaS services — primarily GP practices and rehabilitation clinics, along with hospitals whose patient-portal traffic ran through ChipSoft’s servers. ChipSoft first described the event as a “data incident,” then confirmed more than a week later that patient data had in fact been stolen.
In the first days, no group claimed responsibility — unusual for ransomware. Toward the end of April, the Embargo group took credit, said it held 100GB of data, and threatened to publish it. ChipSoft later stated the stolen data had been destroyed and that its experts had verified this in a technically sound manner — though the Dutch health minister publicly questioned whether that could ever be confirmed with certainty.
The incident made one structural reality impossible to ignore: when a single vendor manages patient records for 70–80% of a country’s hospitals, a compromise at the vendor level creates immediate pressure across dozens of institutions. The hospitals most deeply integrated through the cloud platform had the least to fall back on.
Four challenges people kept describing
Against that backdrop, four problems recurred across our conversations with healthcare professionals. Not as abstractions — as daily friction.
01
Adoption and training, not implementation. The tools are installed. Staff using them well is the harder part. One contact named the core challenge directly: educating and training staff to take full benefit from health applications. The gap between a system being deployed and a system being used is where value leaks out.
02
Privacy as a process problem. GDPR compliance is mostly handled at the infrastructure layer. What is not solved are behavior and policy, how staff handle data day-to-day, how processes are built around patient privacy, and how exceptions are managed. The technology is there. The operating culture around it lags.
03
AI governance. AI use in Dutch healthcare is growing fast, and so is the uncertainty. The EU AI Act places clinical decision support and many diagnostic tools in its high-risk category, which means human oversight, technical documentation, and risk management are no longer optional. Institutions are asking concrete questions: who is liable when a model is wrong? How do you log and audit its decisions? What does responsible AI mean inside an actual clinical workflow? In practice, the answer is less about the model and more about what surrounds it: an audit trail for every decision, a human in the loop where it counts, and EU AI Act documentation built into the workflow from the start — not bolted on once the tool is already in production.
04
Integration between systems. This was the most consistent theme. HiX handles the clinical core. But scheduling, CRM, patient communication, billing, and referral management often live in separate tools that do not connect. More than one person described manually entering the same patient data into three systems. One example from a neighboring market makes the pattern concrete: a clinic director described exactly what she wanted: automatic alerts when an appointment is canceled and process notifications that fire on their own, so staff stop running manual checks to catch what the systems should catch. Small, specific, buildable gaps. The market is full of them.
This isn't only a Dutch challenge
The Netherlands is further along the curve than most, but the same patterns are emerging across Europe.
Germany is mid-way through a multi-billion-euro government push to digitize hospitals (the KHZG program). It accelerated procurement, but requirements vary by state and implementation quality is uneven — so the fragmentation just moved up a layer, from “should we digitize” to “why don’t any of these systems agree with each other?”
The UK operates a top-down system through NHS frameworks, with GP software concentrated among two vendors (EMIS and SystmOne). The day-to-day friction isn’t adoption — it’s making systems interoperate across procurement pathways and meeting NHS data-security requirements without grinding delivery to a halt.
Belgium is among the most digitally mature markets in Europe, with a strong local vendor ecosystem — yet it still runs on a federated model in which national, regional, and local platforms must communicate with one another.
Different maturity, same core issue. Once a health system digitizes — especially quickly, and especially onto a few platforms — the hard problems move downstream: getting systems to interoperate, keeping data usable and portable, and having a plan for the day the platform everyone depends on has a bad week. April didn’t create that problem. It just made it visible.
Why Ralabs can help you
We have 10+ years of healthcare projects behind us — and a specific understanding of what breaks down when clinical systems don’t talk to each other.
Our healthcare work spans both sides of the Atlantic and multiple EU markets:
EHR/EMR integration — custom integration layers between clinical systems, billing platforms, lab systems, and patient communication tools. Not theoretical connectors — working pipelines that eliminate the manual data re-entry Dutch clinicians described to us firsthand.
Telemedicine infrastructure: custom telehealth platforms covering scheduling, secure video, charting, billing, and patient engagement in one GDPR-compliant system. No duct-taped third-party tools, no data residency risks — just infrastructure that works the way clinical teams actually do.
Patient-initiated follow-up (PIFU) and NHS integration: for RMSL in the UK, we built a PIFU system that improved patient follow-up efficiency and resource allocation inside an NHS-regulated environment. The compliance complexity of EU healthcare isn’t new to us.
GDPR-compliant cloud infrastructure: for Atlas Well, a medical addiction treatment app operating in Sweden, we built a fully GDPR-compliant cloud infrastructure on OVHcloud with 99% system uptime. EU data residency and regulatory requirements were built in from day one, not bolted on after.
AI-assisted clinical workflows: we’ve integrated AI into patient data retrieval systems, built AI-powered document processing for medical records, and helped clinical teams reduce documentation load without disrupting existing workflows.
Security as a process, not a checkbox: we work with HIPAA, GDPR, CCPA, HL7, FHIR, and SNOMED standards. Our security approach covers access control (RBAC, MFA, SSO), data at rest and in transit, and backup architecture — the full stack, not just the surface.
The challenges Dutch healthcare professionals described — fragmented systems, manual workarounds, adoption gaps, and AI governance uncertainty — are ones we’ve helped organizations navigate in production environments across the EU and beyond.
Questions worth asking about your
own stack
The Netherlands is a specific case, but the lesson generalizes. If a platform you depend on had a bad week, how much would actually keep working? A few questions worth answering before you need the answers:
- If your primary EHR or clinical platform went dark tomorrow, what is your real downtime plan — and has anyone tested it, or does it only exist on paper?
- Do your backups run independently of that platform, or through it? A backup that shares the vendor’s fate isn’t a backup.
- Can you export your own clinical data out of the vendor’s environment — in a usable format, without waiting on their timeline?
- When you add an AI step to a workflow, can you show who reviewed a decision and why? If not, you have an audit problem waiting to happen.
- When did you last rehearse recovery against a vendor outage, not just a server failure? They fail differently.
None of these require ripping anything out. They require knowing the answers before someone else forces the question.
If those questions don’t have clean answers yet, that’s the useful place to start. We can walk through your integration and resilience picture with you — where the manual workarounds are, where the single points of failure sit, and what’s worth fixing first. Talk to us about what your integration picture looks like today.