Secure
Gap
Partial
ℹ Info
CF Opportunity
At-a-Glance — Who Runs What
NO WAF · NO CDN · NO BOT MGMT — COMPLETE GREENFIELD
DNS
Self-Managed
ns1–ns6.chs.net · 20+ years
CDN
None
Direct origin serving via Liquid Web
WAF
None
XSS & SQLi payloads return 200 OK
Bot Management
None
No challenge, no CAPTCHA, no detection
API Security
None
Missing 5+ security headers
Network DDoS
None
Single-homed BGP · AT&T only
Email Security
Proofpoint
DMARC p=none · SPF ~all
Identity / SSO
Okta (Abandoned)
chs.okta.com → HTTP 404
Remote Access
Traditional VPN
vpn.chs.net · No Zero Trust
Email Platform
Google Workspace
+ Microsoft 365 remnants
SSL / Certs
GoDaddy
DV cert · No CAA · No DNSSEC
Web Hosting
Liquid Web
Apache 2.4 · Static HTML
Core Infrastructure
Self-ManagedOn-Prem DNS (ns1–ns6.chs.net)
Category
Authoritative DNS
Nameservers
6 self-hosted NS
ns1–ns4: 204.227.140.131–134
ns5–ns6: 216.203.25.133–134
CAA Records
None Published
Wildcard
Yes → 11.9.0.1 (private IP leaked)
Anycast
None — all NS on same ASN
Est. Activation
~2000 (20+ years) High
CF Opportunity: Anycast DNS, 1-click DNSSEC, CAA, IPv6, DNS analytics — replaces 6 on-prem servers
None DetectedCDN
Category
Content Delivery Network
Status
No CDN — direct origin serving
Hosting
Liquid Web (AS53824)
CNAME → websitesettingsdna.com
Caching
cache-control: max-age=31536000 (origin only)
Performance
Single origin, no edge distribution across 15 states
CF Opportunity: Global CDN for www + all hospital domains — instant performance lift
None DetectedWAF
Category
Web Application Firewall
XSS Test
NOT BLOCKED — HTTP 200
SQLi Test
NOT BLOCKED — HTTP 200
Path Traversal
302 redirect, not WAF block
Assessment
ZERO WAF protection on a healthcare company with 4.5M-record breach history
Server Leak
Apache/2.4 version exposed
CF Opportunity: Managed WAF rulesets — HIPAA-critical for healthcare, demo with live XSS/SQLi test
None DetectedBot Management
Status
No bot mgmt visible
JS Challenge
None observed
Risk
Career portal scraping, investor data harvesting, credential stuffing on VPN
CF Opportunity: Cloudflare Bot Management — healthcare-specific protection
None DetectedAPI Security / Gateway
API Gateway
None detected
CSP Header
Partial — missing script-src, default-src
X-Content-Type-Options
Missing
Permissions-Policy
Missing
Cookie Leak
X-Mapping-nonjpnjf — LB mapping exposed
CF Opportunity: API Shield, Transform Rules (inject missing headers in 15 min)
Network, Hosting & Certificates
CHSPSC, LLCOn-Prem Network (AS29766)
Category
Self-Managed Network
ASN
AS29766 (CHSPSC-29766)
IP Blocks
204.227.140.0/22
204.227.128-129, 132-133, 137-138.0/24
68.156.159.0/24 · 67.106.199.0/24
(~2,560 total IPs)
Transit
AT&T (AS7018) — SOLE upstream
DDoS
None — direct transit, no scrubbing
Est. Activation
~2005 High
CF Opportunity: Magic Transit for ~2,560 IPs across 10 prefixes — single-homed BGP is critical risk
Liquid WebWebsite Hosting (AS53824)
IP
98.129.229.138 (www)
CNAME → websitesettingsdna.com
Server
Apache/2.4 (version exposed)
Tech Stack
Static HTML · jQuery · Tealium (tag mgmt)
CDN/WAF
None in front of origin
CF Opportunity: Cloudflare in front of Liquid Web — CDN, WAF, header stripping
GoDaddySSL / TLS Certificates
Category
Certificate Management
Cert
Go Daddy Secure CA - G2
DV (Domain Validated only)
SAN List
www.chs.net + chs.net (minimal)
CAA
None — any CA can issue certs
workspace.chs.net
SSL handshake FAILS — broken cert
CF Opportunity: Auto SSL management, Advanced Certificate Manager, CAA enforcement
CHS On-PremInternal Services
Category
Internal Infrastructure (public-facing)
VPN
vpn.chs.net / connect.chs.net
204.227.140.62
Remote
remote.chs.net (204.227.128.60)
access.chs.net (204.227.128.61)
Portal
portal.chs.net (68.156.159.97)
Workspace
workspace.chs.net (204.227.140.37)
Support
support.chs.net (68.156.159.237)
CF Opportunity: Zero Trust Access for all internal apps — replace VPN for 70+ hospitals
Security Headerswww.chs.net Audit
HSTS
max-age=31536000; includeSubDomains; preload
X-Frame-Options
SAMEORIGIN
CSP
Partial — object-src 'none'; frame-ancestors 'self' only
X-Content-Type-Opts
Missing
Permissions-Policy
Missing
Cookie Leak
X-Mapping-nonjpnjf (LB backend exposed)
CF Opportunity: Transform Rules inject all missing headers — 15-minute fix
Email, Identity & Security
ProofpointEmail Security Gateway
MX
mxa/mxb-00241b01.gslb.pphosted.com (pri 10)
DMARC
p=none — NO ENFORCEMENT
Spoofed emails still delivered
SPF
Soft fail (~all) — should be -all
DKIM
M365 + SendGrid selectors active
Est. Activation
~2014 (post-breach) High
CF Opportunity: CF Email Security — complement Proofpoint + DMARC enforcement consulting as door-opener
Google WorkspacePrimary Email Platform
Category
Email & Collaboration
Webmail
mail.chs.net → ghs.googlehosted.com
SPF
include:_spf.google.com
DKIM (Google)
No Google DKIM selector detected
Prior Platform
Replaced on-prem Exchange (~2016)
Est. Activation
~2016 Medium
Microsoft 365 Legacy Remnant
Category
Email (Legacy/Remnant)
Tenant
chsweb.onmicrosoft.com
Verification
MS=ms41882788 (still in DNS)
DKIM
selector1/selector2 active
Autodiscover
autodiscover.chs.net still public (68.156.159.47)
Risk
Dual platform remnants — incomplete migration from Exchange
Okta Abandoned SSO Tenant
Category
Identity & Access (Inactive)
Tenant
chs.okta.com HTTP 404
Status
Provisioned but inactive — returns Okta's Apache 404 page
Validation
Confirmed via wildcard test — non-existent tenants return different response
Risk
Abandoned IdP tenant — possible misconfiguration
CF Opportunity: Cloudflare Access + Gateway as ZT identity layer — Okta gap is an opening
Twilio SendGridTransactional Email
Category
Transactional Email
Verification
twilio-domain-verification TXT
DKIM
s1 (2048-bit RSA) + s2 active
Purpose
Patient comms, notifications, operational email
Subsidiaries & Sister Domains
quorumhealth.com CHS Spinoff — ON CLOUDFLARE
DNS
Cloudflare NS craig.ns.cloudflare.com
CDN/WAF
Cloudflare CDN + WAF active
Hosting
WP Engine (WordPress)
Relationship
CHS spinoff (2016) — chose CF independently after separating
Talk Track
"Your own spinoff chose Cloudflare"
chsga.com Subsidiary — ON CLOUDFLARE
DNS
Cloudflare NS john.ns.cloudflare.com
Hosting
DigitalOcean (165.227.80.250)
Relationship
Possible Georgia subsidiary
Ownership
Verify — may be independently managed
communityhealthsystems.comLegacy Corporate
DNS
Same ns1–ns6.chs.net (CHS-managed)
Hosting
A: 64.29.224.18 — no HTTP response
Status
Stale DNS — resolves but serves nothing
Risk
LOW — orphaned but CHS-controlled
communityhealth.com NOT CHS-OWNED
Status
FOR SALE — primary brand domain not owned
Risk
Phishing, brand confusion, typosquatting
Action
CHS should acquire or UDRP dispute
CF Opportunity: CF Registrar for domain acquisition + consolidation
Other Brand DomainsMixed Status
chs.com
Different entity (Network Solutions)
chs.org
ℹ Cloudflare — Connecticut Museum, NOT CHS
chs.health
GoDaddy — possibly CHS-owned
chshealthcare.com
GoDaddy — possibly CHS-owned
chsmedical.com
EasyDNS → Azure — possibly CHS-owned
chsinc.com
DIFFERENT COMPANY — agricultural co-op (MN)
CF Opportunity: Registrar consolidation for all CHS domains under one dashboard
Legacy Infrastructure & Shadow IT
FTP Server Legacy Protocol — HIPAA Risk
Endpoint
ftp.chs.net → 204.227.128.33
Protocol
FTP — credentials in cleartext
Risk
HIGH — HIPAA violation if PHI traverses
Fix
Decommission or migrate to SFTP behind Zero Trust
Exchange / OWA Legacy Email in DNS
Endpoints
webmail.chs.net → 204.227.128.98
autodiscover.chs.net → 68.156.159.47
Status
Publicly resolvable after Google migration
Risk
MEDIUM — unmonitored Exchange attack surface
Fix
Remove public DNS records; restrict to internal
Wildcard DNS Private IP Leak
Finding
*.chs.net → 11.9.0.1 (RFC 1918 private IP)
Impact
Any subdomain resolves — internal addressing scheme exposed
Risk
GOVERNANCE — info disclosure
Fix
Return NXDOMAIN for undefined subdomains
2014 Data Breach Post-Breach Gaps Remain
Breach
4.5M patient records stolen
APT via Heartbleed vulnerability
Aftermath
$2.3M settlement (2019), class actions
Gaps in 2026
Still no WAF, DMARC p=none, FTP active, server version exposed
Talk Track
"12 years post-breach, the web layer is still unprotected"
Stale TXT Records DNS Hygiene
MS Verification
MS=ms41882788 (M365 — still needed?)
Twilio
twilio-domain-verification (active)
Unknown Hashes
6+ unidentified hash TXT records
Recommendation
Audit & clean up during DNS migration
CF Opportunity: DNS hygiene consulting as part of managed DNS onboarding
Competitive Landscape — Big Players (Who Uses What)
Tenet Healthcare~$20B Revenue
Cloudflare?
FULL STACK — best peer reference
CommonSpirit Health~$34B Revenue
Cloudflare?
FULL STACK — largest nonprofit system on CF
HCA Healthcare~$65B Revenue
Universal Health Services~$15B Revenue
Ascension Health~$28B Revenue
Aligned Competitors — Similar Size & Structure
Steward Health CareMulti-State System
Prospect MedicalMulti-State System
LifePoint HealthMulti-State System
Ardent / ScionHealthMid-Tier Systems
Prime HealthcareMulti-State System
Top 5 Cloudflare Sales Entry Points
#1 — WAF + CDN + L7 DDoSCore Application Services
ZERO WAF, CDN, or bot mgmt on a $12.6B healthcare company. XSS & SQLi payloads return HTTP 200. Apache version exposed. 4.5M-record breach in history. Complete greenfield — no incumbent to displace.
Urgency
IMMEDIATE — HIPAA liability
#2 — Managed DNS + DNSSECDNS Migration
Self-managed DNS for 20+ years on 6 on-prem servers. No DNSSEC, no CAA, no anycast, no IPv6. Single AT&T upstream — one peering failure = total DNS blackout for 70 hospitals.
Urgency
HIGH — single point of failure
#3 — Magic TransitL3/L4 Network DDoS
~2,560 IPs across 10 prefixes (AS29766) with zero DDoS scrubbing and a single ISP transit. VPN, DNS, portal, email access all on unprotected IP space.
Urgency
HIGH — critical infrastructure at risk
#4 — Email SecurityCF Email Security (Area 1)
Proofpoint incumbent but DMARC p=none (no enforcement) and SPF soft fail (~all). Anyone can spoof @chs.net emails. CF Email Security as complement + DMARC consulting as door-opener.
Urgency
STRATEGIC — door-opener conversation
#5 — Zero Trust / SASECloudflare One
70+ hospitals, ~60K employees on traditional VPN. Okta SSO abandoned (404). 4 VPN/remote access endpoints exposed. Replace with identity-aware ZTNA + Gateway.
Urgency
STRATEGIC — long-term platform play