The demo was genuinely excellent. The physicians were engaged. The chief medical officer pulled you aside afterward and said this was exactly what they’d been looking for. You left that meeting convinced you had a deal.
Four months later, you’re still waiting.
This is the most common frustration in health system sales, and almost none of it has to do with your product. Understanding what’s actually happening inside the hospital, and what moves each piece forward, is the difference between a deal that closes in five months and one that dies in procurement limbo.
Why hospital deals are structurally slow
Hospitals have more stakeholders in a technology procurement decision than almost any other enterprise buyer. A clinical AI tool that touches patient workflows involves the clinical staff who use it, IT who hosts it, legal who reviews contracts and BAAs, compliance who approves the vendor security review, finance who owns the budget, and medical leadership who must sign off on clinical workflows.
IT
Legal
Compliance
Finance
Medical leadership
Each of these groups operates independently with their own timelines. IT security review takes six to eight weeks. Legal BAA review takes four to six weeks. Finance budget approval, if budget wasn’t pre-allocated, can require a full budget cycle. These processes run sequentially at most institutions.
Your deal isn’t stalling because anyone changed their mind about your product. It’s moving through a series of independent approval queues, each at the speed of the function running it.
The five gates, and how to move each one
Stalls longest
The IT security team receives your vendor questionnaire, adds it to their queue, and works through it when they have capacity. At a large health system, they might be reviewing fifty vendors simultaneously. What accelerates this: proactive, complete submissions. Most stalled IT reviews aren’t waiting on a decision. They’re waiting on documentation you haven’t provided yet. Request a direct call with the IT security reviewer. A 45-minute call where you walk through your security architecture live typically moves an eight-week review to three weeks. Come with your SOC 2 report or compliance timeline, your most recent VAPT, your data flow diagram, and your incident response procedure.
Stalls when both sides are waiting for the other’s move. Submit your BAA template proactively. If they send theirs, have your counsel’s review ready within a week. The friction points are almost always breach notification timelines, indemnification scope, and permitted use of PHI. Know your positions on these before the negotiation starts.
The step that surprises founders who don’t expect it. Clinical informaticists evaluate whether your product integrates cleanly with their EHR and fits their clinical workflows. The way to shorten it: know their EHR environment before the first conversation and have your integration story ready.
Kills unqualified deals
The step that kills deals that weren’t properly qualified. If the budget doesn’t exist yet, you’re waiting for a budget cycle that might be six to twelve months away. Ask the budget question early: ‘Is there a budget allocated for this, or would this require a new budget request?’ The answer tells you the realistic timeline.
Usually the fastest gate, but only if your champion has kept leadership in the loop. Don’t let four weeks pass without your champion updating the CMO. Medical leadership who were enthusiastic in January and haven’t heard anything by March are not going to sign off quickly when procurement finally reaches them.
The pilot that changes everything
Many health systems will approve a limited pilot under a research or evaluation agreement before the full vendor security review is complete. The hospital gets clinical validation before full commitment. You get real-world clinical data and a customer story that accelerates future deals. The formal procurement process runs in parallel.
If you’re four months into a stalled deal, ask your champion directly: ‘Is there a path to running a limited pilot under a research protocol while procurement completes?’ Frame it as removing risk for them.
A running pilot changes the internal dynamics significantly. The physicians who’ve been waiting for your product to get approved start actively advocating with procurement to move faster. The deal momentum, which had been frozen in queue, starts moving again.
The direct question to ask your champion today
If a deal has been ‘in procurement’ for more than 90 days, ask your champion for a specific status update: what are the outstanding items, who owns each one, and what’s blocking each one from moving?
What you’re trying to find out:
- Is the deal stalled because of incomplete documentation you can provide in a week?
- Is it a legal negotiation that requires a direct call between counsel?
- Is it a budget cycle that requires patience?
- Is it something more complex that requires escalation?
‘Just checking in’ emails to champions are not useful. Specific questions about specific blockers are. Your champion wants the deal to close. Give them the structure to help you move it.
Hospital deals don’t die in procurement because the product failed. They die because momentum decays while documentation waits and stakeholders disengage. Active management of each gate is the job.
Some deals in healthcare take eight to twelve months from first demo to signed contract, and there’s no shortcut. The founders who succeed in health system sales manage their pipeline accordingly, with enough early-stage conversations that the portfolio of deals moving through procurement always has a few crossing the finish line.
It’s a patient game. The ones who play it well build remarkable companies.
The IT security gate is the one that stalls most deals longest. It’s also the one that is entirely within your control.
When the hospital’s IT security team sends your vendor questionnaire, the question is whether you have the documentation ready to respond immediately or whether you’re scrambling to build a security program under procurement pressure.
Osto deploys the security infrastructure and produces the documentation that hospital IT reviews require: WAF, endpoint protection, audit logging, continuous monitoring, a current VAPT, and the policies that tie it all together. Teams that arrive at their first hospital conversation already carrying this are in a different position from those who discover what’s needed when the questionnaire lands.