With 29x more data than its first model, Cigital has released its most recent findings of its Building Security in Maturity Model (BSIMM), declaring that software security is lagging.

Cigital is an application security firm that studies industries to see what they are doing for their organizations’ software security. Today, the firm announced that it has added the healthcare industry to its analysis, joining financial services, independent software vendors, and electronics.

(Related: Android security flaws come from lack of updates)

Gary McGraw, CTO of Cigital, said that the company started 20 years ago to study firms that are doing software security, and then describe what efforts they are taking so that their peers can see what they are doing right. He said BSIMM is based on observation, and it serves as a “measuring stick” for software security.

“Over the past 20 years, we have seen software security grow,” said McGraw. “The industry is focused on getting developers to do the right thing when they are designing and implementing software.”

Adding the healthcare industry will bolster the BSIMM dataset and get the industry to “buckle down and work on doing software security right,” said McGraw.

Some of the main risks for healthcare firms with a lack of software security include data breaches and hackable medical devices. “It’s not just protecting important data, but in some cases, preserving life in a secure fashion,” said McGraw.

The BSIMM data for healthcare demonstrates that healthcare organizations are lacking in software security practices, falling behind software vendors and financial services. For organizations looking to address the issues, BSIMM provides objective measurements of an organization’s software security initiative and where the measurements fall within their industry.

Besides adding healthcare to its verticals, Cigital’s BSIMM6 model was slightly adjusted, but its data pile is continuing to grow, which is what will help firms become secure.

With BSIMM6, Cigital now covers 78 firms, helping them fix and prevent vulnerabilities in their applications. Some of these companies include Adobe, Aetna, Cisco, EMC, JPMorgan Chase, LinkedIn, Nokia, PayPal, TomTom, Vanguard, VMware and Zephyr Health.

Cigital’s hope for the future is to scale to all developers and use BSIMM6 to find out what people are doing for software security. One of its main challenges is getting software developers to learn and take advantage of the facts—something McGraw hoped will change in the future by developers using Cigital’s model.

“The good news is we know what to do; we just need to do it,” he said.