Healthcare website security benchmarks — how hospitals & telehealth score

What they tend to get right

TLS is universally modern on patient-portal subdomains because HIPAA's transmission-security requirement effectively forces it. Cookie attributes on authenticated portals are typically correct. Email auth tends to be mature for sender domains used for appointment notifications.

Where they fall short

CSP coverage is inconsistent — telehealth platforms ship it; many hospital marketing sites don't. Server banners frequently leak the CMS or hosting platform. Permissions-Policy is uncommon. Older hospital sites occasionally still serve mixed content. Patient-portal CORS configurations are sometimes overly permissive to support partner integrations.

Common findings in this sector

Findings that show up frequently across healthcare sites we’ve scanned, ranked by approximate prevalence.

• CSP missing →

  ~65% of sites

  Marketing sites often skip CSP; telehealth platforms tend to ship it

• Permissions-Policy missing →

  ~70% of sites

  Rare across both hospital and telehealth sites

• Server version disclosed →

  ~35% of sites

  WordPress and Drupal banners common on hospital marketing sites

• X-Powered-By exposed →

  ~30% of sites

  PHP/ASP.NET version disclosure remains common

• Weak CSP →

  ~40% of sites

  When present, often allows wildcard or unsafe-inline for embedded video/imaging