One reason this industry is coming under attack is because electronic medical records on the black market sell for more than credit card numbers, Boyer said. He cited examples of medical records selling for $20, while with credit cards the going rate was around $1. The records are being used to help criminals get access to drugs and other treatments, he said.
Securing medical data quickly doesn't look promising either because so many hospitals and other medical facilities are equipped with poor IT equipment, Boyer said,
"I don't see the response (will) be lightning quick, with all those legacy systems in hospitals, you just can't fix this overnight," he said.
Read MoreWhy you should change your password now
Also worth noting, when BitSight investigated reasons why health-care companies may be falling behind in security, researchers discovered that the pay of IT professionals working for health-care companies was less than all other IT staff in the industries also included in the study.
BitSight's report comes after February's release of a report by the IT security-focused SANS Institute, which said the health-care industry is dealing with an "alarming" number of security breaches.
The SANS report noted that about 94 percent of medical institutions have reported being the victims of cyberattacks.
"Now, with the push to digitize all health-care records, the emergence of HealthCare.gov and an outpouring of electronic protected health information (ePHI) being exchanged online, even more attack surfaces are being exposed in the health-care field," the report said.
The report also said that the number of breaches in the health-care sector "not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen."
"Unlike e-commerce–related theft and fraud expenses from which most consumers are shielded, consumers are responsible for costs related to compromised medical insurance records ... costs that reached $12 billion in 2013," SANS noted.
In 2009, the U.S. Health and Human Services Department began mandating that any data breach involving unsecured protected health information be reported to HHS. Since then, the department said, there have been 116,000 reports of breaches of unsecured protected health information involving fewer than than 500 individuals each.
There have also been more than 980 reports of breaches involving health information for 500 or more people, HHS said. In those combined cases, information for more than 31.3 million people was breached, the department said.
Of those larger breaches, the locations where they occurred broke down in this way: laptops, 23 percent; paper records, 22 percent; desktop computers, 15 percent; portable electronic devices, 14 percent; network servers, 11 percent; email, 3 percent; electronic medical records, 2 percent; and other, 11 percent.
—By CNBC's Cadie Thompson.