What a Digital Health Scorecard actually looks like
A real scan of a live med spa website, scored across six dimensions and benchmarked against five competitors. The client's identity is redacted. Every number on this page came from an actual scan, not an example.
Largest Contentful Paint 19.6s on mobile (Google's “good” bar is 2.5s).
TLS 1.3 active, but 5 of 6 protective HTTP headers are missing.
Title length, meta description, and a single clean H1 all in place.
WCAG automated checks pass; every image carries alt text.
HTTPS everywhere, modern image handling, no console errors.
SPF is published, but DMARC is set to monitor-only and no DKIM was found.
What's costing this business customers
Ranked by business impact, not by how easy they are to find. Two of the three are configuration fixes, not rebuilds.
Mobile pages take ~20 seconds to load their main content
CriticalLargest Contentful Paint clocked at 19.6 seconds and First Contentful Paint at 10.9 seconds on a mobile connection. Most of a med spa's traffic is people on phones deciding whether to book. A large share leave before the page even paints. Lighthouse flagged unused CSS and unused JavaScript as the heaviest drags.
The fix: Strip unused CSS/JS, compress and lazy-load images, and put a CDN in front of the site. This single fix moves the score more than everything else combined.
Five of six security headers are missing
HighOnly X-Frame-Options is set. HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are all absent. These headers are what stop clickjacking, MIME-type attacks, and accidental data leakage. Their absence is also a soft signal to anyone probing the site that it is not closely maintained.
The fix: Add the five missing headers at the server or CDN layer. This is a configuration change, not a rebuild, and it is one of the cheapest hardening wins available.
The domain can be spoofed in phishing email
HighSPF is published, but DMARC is set to p=none (it watches, it does not block) and no DKIM signature was found at the common selectors. In that state, a bad actor can send email that appears to come from this clinic's domain, and inboxes have no instruction to reject it. For a business that emails patients about appointments, that is a reputation and deliverability risk.
The fix: Publish a DKIM key, then move DMARC from monitor-only up to quarantine or reject once legitimate mail is confirmed passing.
What's already working
- HTTPS with a valid certificate on TLS 1.3, the current standard
- SEO foundation is clean: accurate title length, a meta description, and a single H1
- Every image carries alt text, which most sites in this space get wrong
- Established domain (registered 2008), which carries real trust weight
- Best-practices score of 96, so the underlying build is sound
Where they stand against five competitors
The same scan, run on five competing clinics in the same market. A score on its own means little. A score next to the people you compete with for the same booking is the part that lands.
Sample Co. sits fourth of six. The gap to the market leader is almost entirely mobile speed and security hardening, both fixable without touching the design. That is the kind of finding that turns a free scan into a clear, ranked to-do list.
Every number traces to a live check
The overall score is a weighted blend of six dimensions. We publish the weighting because an audit you cannot verify is just an opinion. Performance and accessibility come from Google Lighthouse; security headers and TLS from the live HTTP response; email authentication from DNS records. Nothing here is estimated.
| Dimension | Weight | What it measures |
|---|---|---|
| Mobile Performance | 25% | Google Lighthouse performance score + Core Web Vitals (LCP, CLS, TBT) |
| Security Headers & TLS | 20% | TLS version + presence of 6 protective HTTP headers |
| SEO Foundation | 15% | Lighthouse SEO score + title / meta / heading structure |
| Accessibility | 15% | Lighthouse accessibility score (WCAG automated checks) |
| Best Practices | 15% | Lighthouse best-practices score |
| Email & DNS Authentication | 10% | SPF, DKIM, and DMARC enforcement state |
Subject and competitor names are redacted. The figures are from a real scan run in June 2026; a live scorecard reflects the site as it stands the day it is run.
Want this for your site?
The Digital Health Scorecard is free. Send us your URL and your competitors' URLs, and you'll get your own version of this, scored and benchmarked, with no sales call required.