With 29x more data than its first model, Cigital has released its most recent findings of its Building Security in Maturity Model (BSIMM), declaring that software security is lagging.

Cigital is an application security firm that studies industries to see what they are doing for their organizations’ software security. Today, the firm announced that it has added the healthcare industry to its analysis, joining financial services, independent software vendors, and electronics.

(Related: Android security flaws come from lack of updates)

Gary McGraw, CTO of Cigital, said that the company started 20 years ago to study firms that are doing software security, and then describe what efforts they are taking so that their peers can see what they are doing right. He said BSIMM is based on observation, and it serves as a “measuring stick” for software security.

“Over the past 20 years, we have seen software security grow,” said McGraw. “The industry is focused on getting developers to do the right thing when they are designing and implementing software.”

Adding the healthcare industry will bolster the BSIMM dataset and get the industry to “buckle down and work on doing software security right,” said McGraw.

Some of the main risks for healthcare firms with a lack of software security include data breaches and hackable medical devices. “It’s not just protecting important data, but in some cases, preserving life in a secure fashion,” said McGraw.

The BSIMM data for healthcare demonstrates that healthcare organizations are lacking in software security practices, falling behind software vendors and financial services. For organizations looking to address the issues, BSIMM provides objective measurements of an organization’s software security initiative and where the measurements fall within their industry.