Cybersecurity among the largest US health and pharmaceutical organisations has fallen behind sectors such as finance, utilities and even retail, an analysis of S&P 500 firms has found.

Security ratings firm BitSight used a proprietary methodology (see below) to measure detected security events (botnets, malware distribution and spam connected to each organisation) to work out that 82 percent of the top 500 firms across these sectors suffered some kind of security incident in the year to March 2014.

From this it plotted each sector on an index between 250 and 900 (higher being better) which found that finance achieved 782, ahead of utilities on 751, retail on 685, with healthcare and pharma in last place with 660.

How long security events took to be remediated was also assessed with a similar pattern emerging, with finance the quickest to respond to events at less than four days. Once again healthcare came last, taking more than five days to achieve the same result.

Given the numerous recent breaches it’s not a revelation that retail isn’t doing well, with recorded security events rising sharply during 2013 but the healthcare and pharmaceutical sectors’ mediocre showing looks like a separate concern. Active malware detected in these industries included serious forms such as Zeus, the ZeroAccess botnet, PushDo as well as the evergreen Conficker worm.

Some health organisations matched the best in other sectors while others were markedly poorer, according to BitGravity. This underlined a dangerously divergence between the best and the worst.

"Based on our analysis, it is clear that organizations that treat cyber security as a strategic issue perform better than those that view it as a tactical one,” argued BitSight co-founder and CTO, Stephen Boyer.

“This partially explains the superior security ratings of financial institutions and electric utilities in the S&P 500 compared to retailers and healthcare companies."

In other words, the sectors that performed relatively well such as finance were the ones that viewed security as fundamental to their business model and not a money-sucking optional extra.

BitSight’s assessment is based on detecting malicious and anomalous events, taking these to be signs of compromise. An unspoken issue, of course, is how much can be read into these kinds of 'events'.  

In the case of retail, probably quite a lot but does the same apply to healthcare? Perhaps. Although undoubtedly riven with security issues, it is a sector that is also incredibly complex and made up of a fragmented array of smaller databases than would be targeted in retail or financial firms. This isn’t a defence but does mean that hackers might have to work a lot harder to get their hands on large amounts of valuable data.

On the other side, the Identity Theft Resource Center (ITRC) recently worked out that US healthcare organisations accounted for up to four out of every ten known data breaches during 2013.