ChipSoft ransomware: why immutable, isolated backups are non-negotiable

In early April 2026, hospital software vendor ChipSoft (HiX) was hit by ransomware: hospitals disconnected services, portals were shut down, and patient data was stolen. Here is how to avoid full stoppage and meet DORA/NIS 2 requirements.

The facts

On April 7, 2026, ChipSoft, supplier of the HiX electronic patient record used by many Dutch and cross‑border hospitals, was struck by ransomware. Sector body Z‑CERT confirmed the incident and advised healthcare organizations to cut VPN links and monitor traffic, with several components (Zorgportaal, HiX Mobile, etc.) taken offline as a precaution. Patient data theft was acknowledged for customers hosted in the vendor’s cloud, and hospital recovery took several weeks. Sources: Z‑CERT (09/04/2026), The Register (08/04/2026), NL Times (08/04/2026) and DutchNews.nl (29/04/2026).

Beyond the vendor, the impact was systemic: preventative disconnections at hospitals, slowed operations, and a weeks‑long recovery phase before returning to normal (Computable.nl, 18/05/2026). It is a textbook supply‑chain risk where clinical continuity depends on a third party’s technical resilience.

The applicable legal framework

Even though the incident involves healthcare, resilience obligations apply to all critical sectors in Europe and are explicitly detailed for finance by DORA. For financial entities, the DORA requirements (Art. 12) mandate reliable, tested, and separated backups. The NIS 2 directive (Art. 21(2)(c)) requires business continuity including backup and incident recovery management for essential and important entities.

• DORA – Article 12: backup, restore, and recovery policies and procedures. Regulation (EU) 2022/2554 requires financial entities to maintain reliable, tested backups, logically/physically separated, and encrypted, documented recovery procedures integrated with continuity and crisis plans. Official text: EUR‑Lex — DORA.
• NIS 2 – Article 21 (2)(c): business continuity including backup and disaster recovery for essential and important entities. Official text: EUR‑Lex — NIS 2. The Commission reiterates these risk management and continuity requirements: European Commission — NIS 2.

In short, regulators expect organizations to:

• rapidly restore critical services from intact backups not encrypted by the attacker;
• demonstrate isolation of backups from the production network;
• prove (tests, logs, procedures) that these mechanisms work in real conditions.

The technical solution to deploy

Objective: make hostage‑taking ineffective. Two complementary pillars.

1) Immutable backups (WORM)

• Principle: write data to a target that prevents any alteration/deletion during a retention period (hardware/object lock, immutable snapshots).
• Implementation: S3‑compatible object storage with object lock, immutable snapshots on backup appliances, digital vaults, and logical air‑gap.
• Key controls: non‑bypassable retention, dedicated KMS/HSM keys, role separation, MFA/approvals for any policy change, encryption at rest (AES‑256) and in transit (TLS 1.2+).
• References: ISO/IEC 27001 Annex A.8.13, NIST SP 800‑209, CIS Controls v8 — Control 11.

2) Network isolation and segmentation of the backup chain

• Principle: prevent lateral movement (from a compromised environment into backup infrastructure) and contain exfiltration.
• Implementation:
  • dedicated network for backup servers (separate VLAN/VRF);
  • access via bastioned admin gateways (PAM) and strong authentication;
  • no unsolicited inbound connections from production;
  • dedicated service accounts, automated secret rotation;
  • L3/L7 filtering, TLS inspection, and micro‑segmentation on critical workloads (backup platforms, image repositories, IaC registries).
• Controls: regular restore tests (monthly/quarterly), tabletop and technical drills, measured and recorded RTO/RPO.

Cutting the attack chain: even if the vendor or a third party is compromised (as with ChipSoft), a modernized 3‑2‑1‑1‑0 policy (3 copies, 2 media, 1 off‑site, 1 immutable/isolated, 0 errors verified by test restores) prevents prolonged paralysis and data blackmail.

How Luxgap delivers this

• Our ISO 27001 governance (certified Lead Implementer/Auditor) translates DORA/NIS 2 into concrete policies: mapping critical systems, defining RTO/RPO, choosing backup targets, role‑separation matrices, restore procedures, and audit evidence.
• Our 24/7 managed SOC monitors the backup chain: detect abnormal events (unusual purges, mass replications, out‑of‑window admin access), SIEM correlation, alerts, and orchestrated response (network isolation, failover to immutable copies).
• Our outsourced CISO/DPO consultants align tech and compliance: restore test logs, access control evidence, BCP/DRP integration, regulatory communication (major incidents).

Practically, we execute in sprints:

1. scoping and maturity assessment (backup mapping, restore tests, vendor/third‑party dependencies);
2. target architecture (immutable + isolated network + encryption + PAM);
3. tooled deployment (WORM policies, vaults, hardening, micro‑segmentation);
4. cold and hot restore exercises, then DORA/NIS 2 evidence production.

Real‑world case in Luxembourg or the EU

A regulated (finance) company operating in Luxembourg, with critical systems hosted by a European vendor, migrated to object‑lock immutable backups and replication to an isolated network vault administered via PAM and HSM keys. In 6 weeks:

• RTO cut from 48h to 8h on the critical app, RPO improved from 24h to 4h validated by monthly tests;
• documented evidence for DORA Art. 12 and NIS 2 Art. 21(2)(c) integrated into the BCP;
• “compromised vendor” scenario tested: preventive disconnect, restore validated from immutable copy, continuity ensured without paying or negotiating.

First concrete steps

1. Verify your backup lifecycle this week: last tested restore, actual duration (RTO), recovery point (RPO), and up‑to‑date evidence.
2. Isolate your backups: dedicated segment + bastion + least‑privilege service accounts, and block any direct administration from the production network.
3. Enable immutability: WORM on your primary target (immutable snapshots/object‑lock), codified retention controlled by dedicated HSM/KMS.
4. Simulate a “compromised provider/SaaS” incident on a critical app: cut outbound connectivity and restore from the immutable copy. Measure observed RTO/RPO and gaps.
5. Document for DORA/NIS 2: policies, network diagrams, restore test logs, authorization registers, communication plan (internal, clients, authorities). Integrate these into your business continuity plan.

Official sources

• Incident and impacts:
  • Z‑CERT — Ransomware at ChipSoft (09/04/2026)
  • The Register — Ransomware knocks Dutch healthcare software vendor offline (08/04/2026)
  • NL Times — Ransomware attack on company that manages hospitals’ patient files (08/04/2026)
  • DutchNews.nl — Stolen patient data has been destroyed (29/04/2026)
  • Computable.nl — Recovery almost complete (18/05/2026)
• Regulatory framework:
  • EUR‑Lex — Regulation (EU) 2022/2554 (DORA), Art. 12 “Backup policies and procedures…”
  • EUR‑Lex — Directive (EU) 2022/2555 (NIS 2), Art. 21(2)(c) continuity/backup management
  • European Commission — NIS 2

In summary: the ChipSoft attack shows the question is no longer “if” but “when.” Immutable backups and an isolated backup network are now the technical bedrock for rapid recovery — and to prove to regulators your business continuity is non‑negotiable.

Get in touch to assess and strengthen your posture.