It was a late Thursday in January when hospital administrator Steve Long was notified that his computer systems had just been hijacked by an unidentified criminal group.
The hackers gave Long seven days to pay a ransom — or else.
It was at the height of flu season, and a winter snowstorm was moving through the Greenfield, Indiana, area where Hancock Regional Hospital is located. As president and CEO of Hancock Health, Long felt an obligation to make sure his patients were safe.
"We were very prepared. We understood that cyberattacks are common," Long told CNBC.
Unfortunately for Long, the criminals had obtained the login credentials of a vendor that provides hardware for one of the information systems used by the hospital, enabling the group to inject malware and encrypt the hospital's data.
Long was eventually forced to pay the hackers in cryptocurrency.
"We never had a choice in hindsight. It's part of a business model. There is a business model behind this," Long said. He now spends his free time traveling around the U.S. teaching other groups what he learned from the experience.
Over the past decade, the health-care field has had far more computer security incidents than any other industry, accounting for 38 percent of incidents versus 16 percent for professional services and 11 percent for retail, according to data from Chubb, the world's largest publicly traded property and casualty insurer.