Nevila Gjata
On Thursday, October 10th, Turkish President Recep Tayyip Erdoğan arrived in Tirana for an official visit, which included the inauguration of the Namazgja Mosque, a Turkish investment of 30 million Euros. The inauguration led to widespread debate over Turkey’s political, cultural, and religious influence in Albania.
In contrast to the full ceremonial opening of the Namazgja Mosque, just five days later, on Tuesday, October 15th (at 10:00 AM), work at the Fier Regional Memorial Hospital, another Turkish investment worth 70 million Euros, was paralysed.
Critical hospital services for citizens were disrupted. Imaging, MRI scans, and the blood analysis laboratory were all out of service. Additionally, a large amount of patient data was deleted.
Nearly a week after the incident, during a reporting session in the special parliamentary commission for combating disinformation, the Director General of the National Authority for Electronic Certification and Cybersecurity (AKSK), Igli Tafa, revealed that a cyberattack had taken place. He classified it as cyberterrorism, arguing that the attack was directly related to citizens’ health. Although he did not name the hospital, he stated it was a public one. The AKSK did not disclose the name of the hospital, even after our information request following the commission report.
Faktoje.al later learned through unofficial channels that the hospital involved was the Fier Regional Memorial Hospital, a fact confirmed by the hospital itself in a response to Faktoje. In addition to naming the hospital, Igli Tafa, the AKSK Director, provided further details about the attack, both during the commission report and in a more comprehensive response to Faktoje’s information request.
AKSK’s response
‘The attack that occurred was a cyberterrorist attack of the Ransomware type, which encrypted all the data of the hospital in question and paralyzed all critical hospital services for citizens. Managing this attack required coordinated intervention with international partners and the mobilization of the AKSK’s incident management team, which ensured the full restoration of services within 72 hours. After managing the incident, the AKSK provided specific recommendations to strengthen the cyber resilience of the infrastructure,’ reads the AKSK’s response.
Regarding the attack, Faktoje.al submitted an official request to the Ministry of Health, which directed the response to the Fier Regional Memorial Hospital.
From the correspondence between the Hospital and the Ministry of Health, we received a brief summary of the four actions taken after the attack.
The response from the Fier Regional Memorial Hospital
‘The National Authority for Cybersecurity was informed. The Ministry of Health was informed. An official email was sent to AKSK. A task force was set up by AKSK, with the appropriate technical expertise. The system has now been restored to normal,’ states the response from the Fier Regional Memorial Hospital.
Security Affairs Expert, Lavdrim Lita, provides a broader overview of what specifically happens if a public hospital experiences a cyberattack.
‘If a public hospital is attacked by a cyberattack, several significant consequences can occur: The attacks may block or delete access to patient data (medical records, laboratory results, financial information, etc.),’ says Lavdrim Lita.
‘If a public hospital is attacked by a cyberattack, several critical things may happen: The attacks may block or erase access to patient data (medical records, laboratory results, financial data, etc.); They could paralyze the procurement and investment sectors of the hospital centers; And they could expose sensitive/personal data of patients related to diseases or treatments, which could impact their work or daily life,‘ Lita explains to Faktoje.al.
Who was behind the attack?
The question raised by Erion Braçe, the Chair of the Special Commission against Disinformation, about the motives, consequences, and measures taken in response to the attack, was swiftly answered by the Director of the National Authority for Cybersecurity (AKSK), Igli Tafa. Tafa first explained the origin of the attack: ‘The attack was external, but it is not linked to Iran. It is most likely from North Korea,’ Tafa said. After Braçe expressed some surprise that North Korea was involved, Tafa continued: ‘They are more violent, in terms of the scale of violence.’
Albania currently has stable diplomatic relations with South Korea, established in 1991, but not with North Korea. Albania supports international positions against North Korea’s nuclear program and adheres to UN sanctions and resolutions that condemn the regime in Pyongyang. As a NATO member and an EU aspirant, Albania supports Western policies towards North Korea, including diplomatic and economic pressure to stop human rights violations and nuclear activities. However, experts note that Albania’s role in this context is largely symbolic and aligned with the policies of its strategic partners, such as the US and the EU.
On the other hand, Turkey, (considering it was an attack on a Turkish investment), currently has limited relations with North Korea. Like Albania, Turkey actively supports international efforts to prevent the spread of weapons of mass destruction. In this regard, Turkey backs and complies with not only the UN Security Council resolutions but also international sanctions against North Korea.
Fier Regional Hospital
Fier Regional Memorial Hospital is an investment by the Republic of Turkey, providing tertiary-level services for the entire Southern Region, including Fier, Vlorë, and Gjirokastër. The Fier Hospital is part of the public hospital network, but unlike others, it has pioneered hospital autonomy for the first time. The hospital is equipped with 6 operating rooms where complex surgical interventions are performed, and it provides all necessary services for citizens. The hospital serves as a center for the transfer of research knowledge and advanced technological interventions. Currently, this hospital collaborates with a management, administrative, medical, nursing, and technical team, formed through close Turkish-Albanian cooperation. But does this hospital have sufficient technological resources to address the growing sophistication of cyber threats?
‘What we saw is that after the emergency phase, the long phase of becoming resilient begins, and to be resilient, you need investments in technology and in people,’ said Igli Tafa.
During his report to the special parliamentary commission, Igli Tafa, the Director of the National Authority for Cybersecurity (AKSK), explained that the hospital had only two experts trained in this regards: ‘What we saw is that after the emergency phase, the long phase of becoming resilient begins, and to be resilient, you need investments in technology and in people. In fact, those two individuals were trained, but in the panic of the moment, even they couldn’t manage the situation well. Nevertheless, they were part of the team that helped us.‘
When the hospital alerted them about the cyber attack, AKSK sent 7 experts to the site and 12 others followed remotely from Tirana to quickly restore the services. ‘We managed to restore everything in a record time of three days, which, according to all experts, should have taken nearly a month to fix. This was thanks to the hard work we did,’ Tafa said during the commission.
Lack of Investment
However, enhancing cybersecurity requires continuous investment and professional training to establish a sustainable protection system. During his report to the special parliamentary committee, AKSK Director Igli Tafa revealed that future investments would be prioritized: ‘We’ve informed the operators that if they lack the budget for the annual period, we are ready to offer them Open Source technological methods we’ve tested to assist them.’
In a more detailed response to Faktoje.al, AKSK acknowledged that the shortage of cybersecurity experts remains a global challenge.
‘To address these challenges, AKSK has developed a strategic plan to strengthen the professional capacity of cybersecurity experts in both public and private institutions. As part of this plan, periodic training and practical cybersecurity exercises (CyberDrill) are organized for experts in the involved institutions, aiming to strengthen their ability to face ever-evolving threats.
We emphasize that even with the most advanced technologies and top experts, we can never be fully immune to cyberattacks, as this field is extremely dynamic and evolves rapidly.
This proactive approach is essential to ensure that our institutions have the necessary capabilities to protect themselves from cyber threats,’ AKSK explained. Albania is still regarded as a vulnerable country in terms of cybersecurity, especially following the cyberattacks that hit the nation in 2022 and beyond. These attacks revealed weaknesses in the defense systems, with limited capacity to detect and prevent cyberattacks in real time, as well as deficiencies in coordination among national institutions.
Are Hospitals Exposed to Cyberattacks?
The Regional Memorial Hospital in Fier is not listed among the critical information infrastructures covered by the AKSK, which is responsible for cybersecurity under the law. What does this imply? According to AKSK, ‘as a result, assistance in managing this cyberattack for this institution was provided voluntarily.’ The agency, pursuant to the law, assists operators of critical and important information infrastructures in managing cyber incidents and oversees the enforcement of cybersecurity measures within these infrastructures.
Faktoje.al sent a second information request to the AKSK, asking for access to the current list of critical and important information infrastructures, as outlined in the government’s revised security decision from 2022.
At the same time, Faktoje.al also reached out to the Ministry of Health to ask which public hospitals are part of the list of critical information infrastructures and whether they possess adequate cybersecurity expertise. The Ministry referred to the request to the AKSK as the competent authority on cybersecurity.
In its second reply, AKSK explained that the list of Critical and Important Information Infrastructures is not publicly available due to the sensitive nature of the information, which relates to the networks and systems of these infrastructures.
‘The list of infrastructures, along with their networks and systems, cannot be made public in order to avoid exposing them to potential cyberattacks,’ AKSK states in its response.
An earlier government decision (2020), (which is available online,) revealed that the list of public hospitals under AKSK’s oversight leaves much to be desired. This situation may have been updated with a new decision in 2022, but AKSK has not disclosed this updated information.
Both the 2020 decision and the revised version from 2022 (related to lists) aim to partially align with the European directive regarding measures for a high common level of network and information system security in the EU.
In line with the new Cybersecurity Law, AKSK informs us that it is in the process of developing and approving a new list for Critical Information Infrastructures (CII).
‘This list will expand the scope of coverage, including additional sectors and infrastructures, to ensure comprehensive and sustainable protection at the national level,’ according to the authority’s response.
‘It’s time for me to inform and request from the CEOs of all institutions to consider that being under the control of the National Authority for Cybersecurity does not mean their information will be compromised. On the contrary, it will be protected in the best possible way from further cyberattacks, Tafa assured earlier in the special parliamentary committee.
Although the director of AKSK informed that both public and private institutions have adopted a security standard (with substantial penalties for violations), the biggest challenge the authority faces is the technological gap: ‘They don’t have it. The reasons are budget-related, such as the budget not being approved yet this year, procurement failed, and the unsuccessful company filed an appeal. However, in cybersecurity, we don’t have the luxury of time. If a significant risk is identified, it must be addressed immediately.’
Expert on Security Issues, Lavdrim Lita, also points out that ‘a special strategy is needed for the cybersecurity of hospital and laboratory systems.‘ ‘Collaboration with the private sector and the IT community, including coders, could provide sustainable and smart solutions,’ he adds.
In the absence of official information about which public hospitals are under the control of AKSK (and thus protected against cyberattacks), how much budget they have, what concrete capacities they possess in cybersecurity expertise, and whether they are included in continuous training programs, we are left with a fundamental question that naturally arises following the incident at the Fier Regional Memorial Hospital. A question that was raised by AKSK Director Igli Tafa himself when discussing the incident in the parliamentary committee, also providing the answer: ‘Are other hospitals at risk? Yes. They are.’
