Community Health Systems — Infrastructure Technology Matrix

chs.net  |  NYSE: CYH  |  ~70 Hospitals · 15 States  |  Analysis Date: June 30, 2026

Secure Gap Partial ℹ Info CF Opportunity
At-a-Glance — Who Runs What NO WAF · NO CDN · NO BOT MGMT — COMPLETE GREENFIELD
DNS
Self-Managed
ns1–ns6.chs.net · 20+ years
CDN
None
Direct origin serving via Liquid Web
WAF
None
XSS & SQLi payloads return 200 OK
Bot Management
None
No challenge, no CAPTCHA, no detection
API Security
None
Missing 5+ security headers
Network DDoS
None
Single-homed BGP · AT&T only
Email Security
Proofpoint
DMARC p=none · SPF ~all
Identity / SSO
Okta (Abandoned)
chs.okta.com → HTTP 404
Remote Access
Traditional VPN
vpn.chs.net · No Zero Trust
Email Platform
Google Workspace
+ Microsoft 365 remnants
SSL / Certs
GoDaddy
DV cert · No CAA · No DNSSEC
Web Hosting
Liquid Web
Apache 2.4 · Static HTML
Core Infrastructure
Self-ManagedOn-Prem DNS (ns1–ns6.chs.net)
Category
Authoritative DNS
Nameservers
6 self-hosted NS
ns1–ns4: 204.227.140.131–134
ns5–ns6: 216.203.25.133–134
DNSSEC
Not Enabled
CAA Records
None Published
IPv6 (AAAA)
None
Wildcard
Yes → 11.9.0.1 (private IP leaked)
Anycast
None — all NS on same ASN
Est. Activation
~2000 (20+ years)   High
CF Opportunity: Anycast DNS, 1-click DNSSEC, CAA, IPv6, DNS analytics — replaces 6 on-prem servers
None DetectedCDN
Category
Content Delivery Network
Status
No CDN — direct origin serving
Hosting
Liquid Web (AS53824)
CNAME → websitesettingsdna.com
Caching
cache-control: max-age=31536000 (origin only)
HTTP/3
Not supported
Performance
Single origin, no edge distribution across 15 states
Confidence
High
CF Opportunity: Global CDN for www + all hospital domains — instant performance lift
None DetectedWAF
Category
Web Application Firewall
XSS Test
NOT BLOCKED — HTTP 200
SQLi Test
NOT BLOCKED — HTTP 200
Path Traversal
302 redirect, not WAF block
Assessment
ZERO WAF protection on a healthcare company with 4.5M-record breach history
Server Leak
Apache/2.4 version exposed
Confidence
High
CF Opportunity: Managed WAF rulesets — HIPAA-critical for healthcare, demo with live XSS/SQLi test
None DetectedBot Management
Category
Bot Management
Status
No bot mgmt visible
JS Challenge
None observed
CAPTCHA
None
Risk
Career portal scraping, investor data harvesting, credential stuffing on VPN
Confidence
High
CF Opportunity: Cloudflare Bot Management — healthcare-specific protection
None DetectedAPI Security / Gateway
Category
API Security
API Gateway
None detected
CSP Header
Partial — missing script-src, default-src
X-Content-Type-Options
Missing
Referrer-Policy
Missing
Permissions-Policy
Missing
Cookie Leak
X-Mapping-nonjpnjf — LB mapping exposed
Confidence
High
CF Opportunity: API Shield, Transform Rules (inject missing headers in 15 min)
Network, Hosting & Certificates
CHSPSC, LLCOn-Prem Network (AS29766)
Category
Self-Managed Network
ASN
AS29766 (CHSPSC-29766)
IP Blocks
204.227.140.0/22
204.227.128-129, 132-133, 137-138.0/24
68.156.159.0/24 · 67.106.199.0/24
(~2,560 total IPs)
Transit
AT&T (AS7018) — SOLE upstream
DDoS
None — direct transit, no scrubbing
IPv6
Zero IPv6 readiness
Est. Activation
~2005   High
CF Opportunity: Magic Transit for ~2,560 IPs across 10 prefixes — single-homed BGP is critical risk
Liquid WebWebsite Hosting (AS53824)
Category
Web Hosting
IP
98.129.229.138 (www)
CNAME → websitesettingsdna.com
Server
Apache/2.4 (version exposed)
Tech Stack
Static HTML · jQuery · Tealium (tag mgmt)
CDN/WAF
None in front of origin
Confidence
High
CF Opportunity: Cloudflare in front of Liquid Web — CDN, WAF, header stripping
GoDaddySSL / TLS Certificates
Category
Certificate Management
Cert
Go Daddy Secure CA - G2
DV (Domain Validated only)
SAN List
www.chs.net + chs.net (minimal)
Expiry
Jan 24, 2027
CAA
None — any CA can issue certs
workspace.chs.net
SSL handshake FAILS — broken cert
Confidence
High
CF Opportunity: Auto SSL management, Advanced Certificate Manager, CAA enforcement
CHS On-PremInternal Services
Category
Internal Infrastructure (public-facing)
VPN
vpn.chs.net / connect.chs.net
204.227.140.62
Remote
remote.chs.net (204.227.128.60)
access.chs.net (204.227.128.61)
Portal
portal.chs.net (68.156.159.97)
Workspace
workspace.chs.net (204.227.140.37)
Support
support.chs.net (68.156.159.237)
Confidence
High
CF Opportunity: Zero Trust Access for all internal apps — replace VPN for 70+ hospitals
Security Headerswww.chs.net Audit
HSTS
max-age=31536000; includeSubDomains; preload
X-Frame-Options
SAMEORIGIN
CSP
Partial — object-src 'none'; frame-ancestors 'self' only
X-Content-Type-Opts
Missing
Referrer-Policy
Missing
Permissions-Policy
Missing
Cookie Leak
X-Mapping-nonjpnjf (LB backend exposed)
CF Opportunity: Transform Rules inject all missing headers — 15-minute fix
Email, Identity & Security
ProofpointEmail Security Gateway
Category
Email Security
MX
mxa/mxb-00241b01.gslb.pphosted.com (pri 10)
DMARC
p=none — NO ENFORCEMENT
Spoofed emails still delivered
SPF
Soft fail (~all) — should be -all
DKIM
M365 + SendGrid selectors active
Est. Activation
~2014 (post-breach)   High
CF Opportunity: CF Email Security — complement Proofpoint + DMARC enforcement consulting as door-opener
Google WorkspacePrimary Email Platform
Category
Email & Collaboration
Webmail
mail.chs.net → ghs.googlehosted.com
SPF
include:_spf.google.com
DKIM (Google)
No Google DKIM selector detected
Prior Platform
Replaced on-prem Exchange (~2016)
Est. Activation
~2016   Medium
Microsoft 365 Legacy Remnant
Category
Email (Legacy/Remnant)
Tenant
chsweb.onmicrosoft.com
Verification
MS=ms41882788 (still in DNS)
DKIM
selector1/selector2 active
Autodiscover
autodiscover.chs.net still public (68.156.159.47)
Risk
Dual platform remnants — incomplete migration from Exchange
Confidence
High
Okta Abandoned SSO Tenant
Category
Identity & Access (Inactive)
Tenant
chs.okta.com HTTP 404
Status
Provisioned but inactive — returns Okta's Apache 404 page
Validation
Confirmed via wildcard test — non-existent tenants return different response
Risk
Abandoned IdP tenant — possible misconfiguration
Confidence
Medium
CF Opportunity: Cloudflare Access + Gateway as ZT identity layer — Okta gap is an opening
Twilio SendGridTransactional Email
Category
Transactional Email
Verification
twilio-domain-verification TXT
DKIM
s1 (2048-bit RSA) + s2 active
Purpose
Patient comms, notifications, operational email
Confidence
High
Subsidiaries & Sister Domains
quorumhealth.com CHS Spinoff — ON CLOUDFLARE
DNS
Cloudflare NS craig.ns.cloudflare.com
CDN/WAF
Cloudflare CDN + WAF active
Hosting
WP Engine (WordPress)
Relationship
CHS spinoff (2016) — chose CF independently after separating
Talk Track
"Your own spinoff chose Cloudflare"
Confidence
High
chsga.com Subsidiary — ON CLOUDFLARE
DNS
Cloudflare NS john.ns.cloudflare.com
Hosting
DigitalOcean (165.227.80.250)
Relationship
Possible Georgia subsidiary
Ownership
Verify — may be independently managed
Confidence
Medium
communityhealthsystems.comLegacy Corporate
DNS
Same ns1–ns6.chs.net (CHS-managed)
Hosting
A: 64.29.224.18 — no HTTP response
Status
Stale DNS — resolves but serves nothing
Risk
LOW — orphaned but CHS-controlled
Confidence
High
communityhealth.com NOT CHS-OWNED
DNS
Afternic / parked
Status
FOR SALE — primary brand domain not owned
Risk
Phishing, brand confusion, typosquatting
Action
CHS should acquire or UDRP dispute
Confidence
High
CF Opportunity: CF Registrar for domain acquisition + consolidation
Other Brand DomainsMixed Status
chs.com
Different entity (Network Solutions)
chs.org
ℹ Cloudflare — Connecticut Museum, NOT CHS
chs.health
GoDaddy — possibly CHS-owned
chshealthcare.com
GoDaddy — possibly CHS-owned
chsmedical.com
EasyDNS → Azure — possibly CHS-owned
chsinc.com
DIFFERENT COMPANY — agricultural co-op (MN)
Confidence
Medium
CF Opportunity: Registrar consolidation for all CHS domains under one dashboard
Legacy Infrastructure & Shadow IT
FTP Server Legacy Protocol — HIPAA Risk
Endpoint
ftp.chs.net → 204.227.128.33
Protocol
FTP — credentials in cleartext
Risk
HIGH — HIPAA violation if PHI traverses
Fix
Decommission or migrate to SFTP behind Zero Trust
Exchange / OWA Legacy Email in DNS
Endpoints
webmail.chs.net → 204.227.128.98
autodiscover.chs.net → 68.156.159.47
Status
Publicly resolvable after Google migration
Risk
MEDIUM — unmonitored Exchange attack surface
Fix
Remove public DNS records; restrict to internal
Wildcard DNS Private IP Leak
Finding
*.chs.net → 11.9.0.1 (RFC 1918 private IP)
Impact
Any subdomain resolves — internal addressing scheme exposed
Risk
GOVERNANCE — info disclosure
Fix
Return NXDOMAIN for undefined subdomains
2014 Data Breach Post-Breach Gaps Remain
Breach
4.5M patient records stolen
APT via Heartbleed vulnerability
Aftermath
$2.3M settlement (2019), class actions
Gaps in 2026
Still no WAF, DMARC p=none, FTP active, server version exposed
Talk Track
"12 years post-breach, the web layer is still unprotected"
Stale TXT Records DNS Hygiene
MS Verification
MS=ms41882788 (M365 — still needed?)
Twilio
twilio-domain-verification (active)
Unknown Hashes
6+ unidentified hash TXT records
Recommendation
Audit & clean up during DNS migration
CF Opportunity: DNS hygiene consulting as part of managed DNS onboarding
Competitive Landscape — Big Players (Who Uses What)
Tenet Healthcare~$20B Revenue
DNS
Cloudflare
CDN/WAF
Cloudflare
Cloudflare?
FULL STACK — best peer reference
CommonSpirit Health~$34B Revenue
DNS
Cloudflare
CDN/WAF
Cloudflare
Cloudflare?
FULL STACK — largest nonprofit system on CF
HCA Healthcare~$65B Revenue
DNS
Azure DNS
CDN/WAF
None detected
Cloudflare?
No
Universal Health Services~$15B Revenue
DNS
AT&T DNS
CDN/WAF
None (Apache/AWS)
Cloudflare?
No
Ascension Health~$28B Revenue
DNS
Self-managed
CDN/WAF
Fastly / Varnish
Cloudflare?
No
Aligned Competitors — Similar Size & Structure
Steward Health CareMulti-State System
DNS
Cloudflare
CDN/WAF
Cloudflare
Cloudflare?
YES
Prospect MedicalMulti-State System
DNS
Azure DNS
CDN/WAF
Cloudflare
Cloudflare?
YES
LifePoint HealthMulti-State System
DNS
GCD DNS
CDN/WAF
None detected
Cloudflare?
No
Ardent / ScionHealthMid-Tier Systems
DNS
Google / GoDaddy
CDN/WAF
Fastly
Cloudflare?
No
Prime HealthcareMulti-State System
DNS
NS1
CDN/WAF
Sucuri WAF
Cloudflare?
No
Top 5 Cloudflare Sales Entry Points
#1 — WAF + CDN + L7 DDoSCore Application Services
ZERO WAF, CDN, or bot mgmt on a $12.6B healthcare company. XSS & SQLi payloads return HTTP 200. Apache version exposed. 4.5M-record breach in history. Complete greenfield — no incumbent to displace.
Urgency
IMMEDIATE — HIPAA liability
#2 — Managed DNS + DNSSECDNS Migration
Self-managed DNS for 20+ years on 6 on-prem servers. No DNSSEC, no CAA, no anycast, no IPv6. Single AT&T upstream — one peering failure = total DNS blackout for 70 hospitals.
Urgency
HIGH — single point of failure
#3 — Magic TransitL3/L4 Network DDoS
~2,560 IPs across 10 prefixes (AS29766) with zero DDoS scrubbing and a single ISP transit. VPN, DNS, portal, email access all on unprotected IP space.
Urgency
HIGH — critical infrastructure at risk
#4 — Email SecurityCF Email Security (Area 1)
Proofpoint incumbent but DMARC p=none (no enforcement) and SPF soft fail (~all). Anyone can spoof @chs.net emails. CF Email Security as complement + DMARC consulting as door-opener.
Urgency
STRATEGIC — door-opener conversation
#5 — Zero Trust / SASECloudflare One
70+ hospitals, ~60K employees on traditional VPN. Okta SSO abandoned (404). 4 VPN/remote access endpoints exposed. Replace with identity-aware ZTNA + Gateway.
Urgency
STRATEGIC — long-term platform play