Skip to main content
Sample Deliverable

What a Digital Health Scorecard actually looks like

A real scan of a live med spa website, scored across six dimensions and benchmarked against five competitors. The client's identity is redacted. Every number on this page came from an actual scan, not an example.

How to read this: this is the free scorecard we run for any business, shown on a real subject with the name removed. We scanned a multi-location med spa and its competitors in June 2026. The grades, metrics, and benchmark positions are the real results. We redact the names because the point is the method, not to grade anyone in public.
66out of 100
Overall
Needs Work
Sample Co. — Med Spa & Aesthetics
Mobile Performance(25%)53

Largest Contentful Paint 19.6s on mobile (Google's “good” bar is 2.5s).

Security Headers & TLS(20%)38

TLS 1.3 active, but 5 of 6 protective HTTP headers are missing.

SEO Foundation(15%)92

Title length, meta description, and a single clean H1 all in place.

Accessibility(15%)86

WCAG automated checks pass; every image carries alt text.

Best Practices(15%)96

HTTPS everywhere, modern image handling, no console errors.

Email & DNS Authentication(10%)40

SPF is published, but DMARC is set to monitor-only and no DKIM was found.

Fix First

What's costing this business customers

Ranked by business impact, not by how easy they are to find. Two of the three are configuration fixes, not rebuilds.

01

Mobile pages take ~20 seconds to load their main content

Critical

Largest Contentful Paint clocked at 19.6 seconds and First Contentful Paint at 10.9 seconds on a mobile connection. Most of a med spa's traffic is people on phones deciding whether to book. A large share leave before the page even paints. Lighthouse flagged unused CSS and unused JavaScript as the heaviest drags.

The fix: Strip unused CSS/JS, compress and lazy-load images, and put a CDN in front of the site. This single fix moves the score more than everything else combined.

02

Five of six security headers are missing

High

Only X-Frame-Options is set. HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are all absent. These headers are what stop clickjacking, MIME-type attacks, and accidental data leakage. Their absence is also a soft signal to anyone probing the site that it is not closely maintained.

The fix: Add the five missing headers at the server or CDN layer. This is a configuration change, not a rebuild, and it is one of the cheapest hardening wins available.

03

The domain can be spoofed in phishing email

High

SPF is published, but DMARC is set to p=none (it watches, it does not block) and no DKIM signature was found at the common selectors. In that state, a bad actor can send email that appears to come from this clinic's domain, and inboxes have no instruction to reject it. For a business that emails patients about appointments, that is a reputation and deliverability risk.

The fix: Publish a DKIM key, then move DMARC from monitor-only up to quarantine or reject once legitimate mail is confirmed passing.

What's already working

  • HTTPS with a valid certificate on TLS 1.3, the current standard
  • SEO foundation is clean: accurate title length, a meta description, and a single H1
  • Every image carries alt text, which most sites in this space get wrong
  • Established domain (registered 2008), which carries real trust weight
  • Best-practices score of 96, so the underlying build is sound
Competitive Benchmark

Where they stand against five competitors

The same scan, run on five competing clinics in the same market. A score on its own means little. A score next to the people you compete with for the same booking is the part that lands.

Clinic A
87
Clinic B
75
Clinic C
73
Sample Co. (this report)
66
Clinic D
59
Clinic E
55

Sample Co. sits fourth of six. The gap to the market leader is almost entirely mobile speed and security hardening, both fixable without touching the design. That is the kind of finding that turns a free scan into a clear, ranked to-do list.

How This Was Scored

Every number traces to a live check

The overall score is a weighted blend of six dimensions. We publish the weighting because an audit you cannot verify is just an opinion. Performance and accessibility come from Google Lighthouse; security headers and TLS from the live HTTP response; email authentication from DNS records. Nothing here is estimated.

DimensionWeightWhat it measures
Mobile Performance25%Google Lighthouse performance score + Core Web Vitals (LCP, CLS, TBT)
Security Headers & TLS20%TLS version + presence of 6 protective HTTP headers
SEO Foundation15%Lighthouse SEO score + title / meta / heading structure
Accessibility15%Lighthouse accessibility score (WCAG automated checks)
Best Practices15%Lighthouse best-practices score
Email & DNS Authentication10%SPF, DKIM, and DMARC enforcement state

Subject and competitor names are redacted. The figures are from a real scan run in June 2026; a live scorecard reflects the site as it stands the day it is run.

Want this for your site?

The Digital Health Scorecard is free. Send us your URL and your competitors' URLs, and you'll get your own version of this, scored and benchmarked, with no sales call required.