HCA Healthcare, Inc. — Infrastructure Technology Matrix

hcahealthcare.com  |  NYSE: HCA  |  ~$65B Revenue  |  180+ Hospitals  |  Analysis Date: June 30, 2026

Secure Gap Partial ℹ Info CF Opportunity
At-a-Glance — Who Runs What WAF · BOT MGMT · DDOS — PRESENT BUT NOT EXTERNALLY VISIBLE
DNS
Azure DNS
ns1-35.azure-dns.com · ~3-5 yrs
CDN
Akamai ION
CDN delivery ONLY · ~5-8 yrs
WAF
NONE
XSS + SQLi pass through unblocked
Bot Management
DISABLED
ENABLE_BOTF=false in Akamai config
API Security
NONE
Zero security headers on main site
Network DDoS
NONE
AS14626 · Lumen + AT&T transit only
Email Security
Proofpoint
DMARC: quarantine (not reject)
Identity / SSO
Okta (4 tenants)
hca · hcahealthcare · hcait · medcity
CMS / Origin
Sitecore XM Cloud
Next.js frontend · Azure App Service
AI / Data Platform
Azure + Google Cloud
Azure OpenAI likely · GCP partnership 2021
Cloudflare Footprint
4 Properties Already
Parallon · hcadam · careers · investor
EHR System
Epic
MyChart patient portal · Epic AI built-in
Core Infrastructure
Microsoft AzureAzure DNS
Category
Managed DNS
Nameservers
ns1-35.azure-dns.com
ns2-35.azure-dns.net
ns3-35.azure-dns.org
ns4-35.azure-dns.info
DNSSEC
Not Enabled
CAA Records
5 CAs allowed
IdenTrust, SecureTrust, DigiCert, AWS, Google
IPv6 (AAAA)
None
Wildcard
Yes → 165.214.41.39 (HCA-owned)
Self-Managed DNS
medcity.net still runs ns1/ns2
Handles sarahcannon, parallon, hcahealthcare.org
Est. Activation
~2021–2023   High
CF Opportunity: 1-click DNSSEC, consolidate Azure + medcity.net under one platform, DNS analytics
AkamaiION (CDN Only — No Security)
Category
Content Delivery Network
Coverage
www.hcahealthcare.com
medicalcityhealthcare.com
healthonecares.com
Property
www.hcahealthcare.com v4
CNAME → edgekey.net
SureRoute
Enabled HCA-Healthcare-e12400
mPulse RUM
Enabled Real User Monitoring
HTTP/3
Supported (alt-svc)
Header Leaks
TiPMix, x-ms-routing-name, sc_site cookies leak from Azure origin
Est. Activation
~2016–2018   High
CF Opportunity: Akamai is CDN-only — no security products enabled. Cloudflare replaces CDN + adds WAF/Bot/API in one.
NONE DETECTEDWeb Application Firewall
Category
WAF
XSS Test
HTTP 200 — NOT BLOCKED
SQLi Test
HTTP 200 — NOT BLOCKED
Kona / App & API Protector
No Akamai WAF headers present
WAF Cookies
No ak_bmsc, bm_sv, _abck cookies
Assessment
No WAF on main US hospital sites. HCA may pay Akamai for CDN only — WAF was likely lost when F5 BIG-IP was removed from traffic path.
Confidence
95%   (possible monitor-only mode)
CF Opportunity: CRITICAL — $65B healthcare company with no WAF. HIPAA compliance risk. Cloudflare WAF deploys immediately.
DISABLEDBot Management
Category
Bot Management
Akamai Bot Fighter
ENABLE_BOTF=false
Explicitly disabled in Akamai config
Real User Attestation
RUA_IMPL_ENABLED_ON=false
Bot Cookies
None (ak_bmsc, bm_sv, _abck absent)
Risk
Credential stuffing on patient portals, appointment hoarding, price scraping (CMS transparency), PHI account takeover
Note
Licensed but disabled, or never purchased — either way, not protecting.
Confidence
99%   (Akamai debug confirms)
CF Opportunity: Cloudflare Bot Management + Turnstile — healthcare-critical protection for 35M+ annual patient encounters
NONEAPI Security / Gateway
Category
API Security
HSTS
Missing
CSP
Missing
X-Frame-Options
Missing
X-Content-Type-Options
Missing
Rate Limiting
None — no X-RateLimit headers
Origin Leak
Azure App Service cookies (TiPMix, x-ms-routing-name) visible through CDN
Confidence
99%
CF Opportunity: API Shield, Transform Rules for header stripping, rate limiting, schema validation
Cloud, Hosting & Network
Microsoft AzurePrimary Cloud
Category
Cloud Hosting (Primary)
Services
Azure DNS, Azure Front Door (root redirect), Azure App Service (Sitecore origin), Application Insights
Root IP
150.171.109.183 (Azure / AS8075)
Origin
wwwprod104-hcahealthcare-sitecore-cloud.dpxmedcity.net
Cookie Leak
TiPMix + x-ms-routing-name exposed
Est. Activation
~2021–2023   High
CF Opportunity: Cloudflare in front of Azure — header stripping, caching, WAF, bot protection
HCA HealthcareOn-Prem (AS14626)
Category
Self-Managed Network
ASN
AS14626 ("COLUMBIA-HCA")
Name unchanged since 1994
IP Blocks
165.214.x.x (36 prefixes)
199.91.3x.x (8 prefixes)
44 total IPv4 prefixes
Transit
Lumen (AS3356) + AT&T (AS7018) only
DDoS
NONE — no scrubbing service in AS path
IPv6
Zero IPv6 presence
Confidence
95% (RIPE RIS)
CF Opportunity: Magic Transit for 44 prefix blocks — DDoS protection for patient-critical systems
IdenTrust / HydrantIDSSL/TLS Certificates
Category
Certificate Management
US Cert
IdenTrust → HydrantID Server CA O1
OV cert · 39 SANs
Exp Feb 19, 2027
UK Cert
DigiCert Global G2 TLS RSA
Exp Nov 20, 2026
SAN Reveals
39 SANs expose all hospital brand domains
sahealth, stdavids, tristarhealth, missionhealth, etc.
CAs Allowed
5 CAs in CAA — decentralized cert management
Confidence
99%
CF Opportunity: Auto cert management, Advanced Certificate Manager, single-pane TLS
SitecoreXM Cloud CMS + Content Hub DAM
Category
Content Management
CMS
Sitecore XM Cloud + Next.js frontend
DAM
Sitecore Content Hub / Stylelabs
hcadam.com → on Cloudflare
Origin
dpxmedcity.net (DPX implementation partner)
AI Features
AI personalization, content recommendations, auto-tagging (DAM)
Est. Activation
~2022–2024   High
CF Opportunity: Cloudflare works with Sitecore via standard origin pull — like the DAM already does
F5 Networks BIG-IP (Legacy)
Category
Legacy Load Balancer
Status
Still active on sarahcannon.com redirects
Evidence
TS01d758f2 cookie — can decode to reveal internal IPs
Former Role
Primary LB + WAF (F5 ASM) before Akamai CDN
What Happened
When Akamai took over CDN, F5 WAF was removed but never replaced with a cloud WAF
Est. Activation
~2010–2014   High
CF Opportunity: Full F5 displacement — Cloudflare handles LB, WAF, and CDN
Email, Identity & Security
ProofpointEmail Security Gateway
Category
Email Security
MX
mxa/mxb-00039202.gslb.pphosted.com (pri 10)
DMARC
p=quarantine (NOT reject)
Sister domains medcity.net + sarahcannon.com use p=reject
SPF
Soft fail (~all) — should be -all
DKIM
Present (custom selectors)
Est. Activation
~2018–2020   High
CF Opportunity: CF Email Security — primary domain has WEAKER email protection than internal domains
OktaSSO / Identity (4 Tenants)
Category
Identity & Access Management
hca.okta.com
Active Primary corporate SSO
hcahealthcare.okta.com
Active Next-gen (tng) infra — migration?
hcait.okta.com
Active IT-specific tenant
medcity.okta.com
HTTP 429 Rate-limited, likely active
Zero Trust
Shadow subdomains (vpn, citrix, adfs, sso) publicly resolvable — not a full ZT architecture
Est. Activation
~2018–2020   95%
CF Opportunity: Cloudflare One (ZTNA + SASE) — 180+ hospitals, 275K employees, replace public DNS for internal apps
ImpervaWAF (UK Only)
Category
WAF — UK Operations Only
Domain
hcahealthcare.co.uk
Evidence
visid_incap_*, nlbi_*, incap_ses_* cookies
Hosting
Vercel + Next.js
DNS
AWS Route 53 (independent from US)
Key Insight
UK team made independent technology decisions — different DNS, WAF, hosting, and cert CA from US
Confidence
99%
CF Opportunity: Displace Imperva on UK — Cloudflare already in 4 places across HCA
VPN / Remote Accessehc.com (Hidden Domain)
Category
Remote Access / VPN
Discovery
VPN cert reveals *.secure.ehc.com
Previously unknown HCA domain
ehc.com DNS
medcity.net nameservers (HCA-owned)
Email
Same Proofpoint (customer ID 00039202)
DMARC
p=reject (stronger than hcahealthcare.com!)
Confidence
95%
CF Opportunity: Cloudflare Tunnel replaces VPN — no public DNS exposure needed
Salesforce / ExactTargetCRM + Marketing Cloud
Category
CRM & Email Marketing
CRM
Salesforce (org: 00D5e000003Rx8W)
Marketing
m.hcahealthcare.com → ExactTarget
Reverse DNS still says exacttarget.com (pre-2013 Salesforce acquisition)
Legacy Risk
Infrastructure unchanged for 10+ years
Breach Link
July 2023 breach (11M records) involved "external storage for email formatting" — possibly related
Confidence
95%
AI Platforms, SaaS & Third-Party Services
LovableAI Web Development
Evidence
lovable_verification TXT record (workspace ID)
Purpose
AI-powered web app builder — rapid prototyping
Est. Activation
~2024–2025   Medium
CF: AI Gateway for LLM observability
DynatraceDavis AI (Observability)
Evidence
Dynatrace-site-verification TXT record
Purpose
Full-stack monitoring with built-in AI anomaly detection
Est. Activation
~2020–2023   High
Infor CloudSuiteERP / Supply Chain
Evidence
infor-cloudsuite-domain-verification TXT
Purpose
Hospital ERP, supply chain, Coleman AI
Est. Activation
~2018–2022   Medium
Docker + HashiCorpDevOps / IaC
Evidence
docker-verification + hcp-domain-verification TXT
Purpose
Container runtime + Terraform/Vault for infrastructure-as-code
AI Implication
Foundation for self-hosted ML model serving
LaunchDarkly + MixpanelFeature Flags + Analytics
Evidence
launchdarkly-domain-verification + mixpanel-domain-verify TXT
Purpose
Feature flags for AI/ML rollouts, product analytics
Est. Activation
~2022–2024   Medium
VMware + Cisco + BarcoData Center & Imaging
Evidence
vmware-cloud + cisco-ci + cisco-intersight + barco TXT records
VMware
Virtualization layer for on-prem workloads
Cisco
Intersight (AI-driven data center mgmt)
Barco
Healthcare imaging displays
Subsidiaries & Sister Domains
parallon.com ON CLOUDFLARE (Direct)
Business
Revenue cycle management, billing, claims
DNS
medcity.net (self-managed)
CDN/WAF
Cloudflare cf-ray, __cf_bm, server: cloudflare
Key Insight
Direct Cloudflare customer — HCA's billing subsidiary chose CF for sensitive financial/patient data
Confidence
99%
hcadam.com ON CLOUDFLARE (Via Stylelabs)
Business
Digital Asset Management (Sitecore Content Hub)
Origin
hcah-p-001.stylelabs.cloud
CDN/WAF
Cloudflare + proper security headers (HSTS, XFO, X-XSS)
Key Insight
Has security headers the main site doesn't have
Confidence
99%
medicalcityhealthcare.comDallas-Fort Worth Hospitals
DNS
Azure DNS (ns1-34)
CDN
Akamai ION (same Sitecore pattern)
Origin
wwwprod104-hcadallas-sitecore-cloud.dpxmedcity.net
WAF
None (same gap as main site)
Confidence
High
sarahcannon.comCancer Research Institute
DNS
medcity.net (self-managed)
Security
F5 BIG-IP only (TS cookie)
Status
Redirects to hcahealthcare.com
Risk
F5 cookie can reveal internal IPs
Confidence
High
hcahealthcare.co.ukUK Operations (Independent Stack)
DNS
AWS Route 53 (awsdns)
WAF
Imperva / Incapsula
Hosting
Vercel + Next.js
SSL
DigiCert (different CA than US)
Key Insight
Completely independent — different DNS, WAF, hosting, and cert CA
Other Brand DomainsMixed Status
hca.com
NOT OWNED BY HCA — Croatian company
healthonecares.com
Azure DNS + Akamai (Denver hospitals)
ehc.com
medcity.net DNS — VPN/remote access
hcahealth.com
MarkMonitor — brand protection (AWS)
hcahospitals.com
MarkMonitor — brand protection (AWS)
CF Opportunity: Registrar consolidation + brand protection
Legacy Infrastructure & Shadow IT — 20+ Ghost Subdomains
Ghost Clinical Subdomains HIGH RISK — Phishing Vectors
Subdomains
epic · mychart · telehealth · patient · pharmacy · clinical · research
Status
All resolve to wildcard IP 165.214.41.39 but serve no content
Risk
HIGH — "go to mychart.hcahealthcare.com" resolves to real HCA IP, looks legitimate for phishing
Fix
Remove wildcard DNS or lock behind Cloudflare Access
IT Infrastructure Exposed HIGH RISK — Attack Recon
Subdomains
citrix · vpn · owa · adfs · sso · okta · firewall
Status
All resolve via wildcard — reveals HCA's internal tool stack
Risk
HIGH — shopping list for targeted attacks
Fix
Cloudflare Tunnel — make invisible to public internet
Dev/Test Environments MEDIUM RISK
Subdomains
dev · staging · qa · uat · test · prod
Status
All resolve via wildcard
Risk
MEDIUM — confirms environment naming conventions
Fix
Remove from public DNS or restrict access
medcity.net Shadow Zone GOVERNANCE RISK
What It Is
Entire DNS zone on self-managed nameservers (ns1/ns2.medcity.net)
Contains
Active Directory, Exchange, internal apps, legacy systems
Risk
Operates outside Azure DNS governance
Fix
Consolidate under Cloudflare DNS for unified visibility
July 2023 Data Breach 11M Patient Records
What Happened
~11M patient records exposed from backend storage for email formatting
Perimeter Response
NO visible changes — still no WAF, bot mgmt still disabled
Key Insight
Board-level security awareness is high. Investment likely focused internally — perimeter gaps remain.
Talk Track
"We see the internal investment — here's what's still exposed at the perimeter"
Competitive Landscape — Who Uses What
Cleveland Clinic~$14B Revenue
DNS
Cloudflare
CDN/WAF
Full Cloudflare Stack
Email
Mimecast
Cloudflare?
FULL STACK — best peer reference
Tenet Healthcare~$20B · HCA's #2 Competitor
DNS
Cloudflare
CDN/WAF
Full Cloudflare
Email
Microsoft 365
Cloudflare?
FULL STACK
CommonSpirit Health~$34B Revenue
DNS
Cloudflare
CDN/WAF
Full Cloudflare
Email
Proofpoint
Cloudflare?
FULL STACK
Mayo Clinic~$17B Revenue
DNS
Akamai (akam.net)
CDN/WAF
Full Akamai (DNS + CDN + WAF)
Email
Self-managed (mayo.edu)
Cloudflare?
No
Kaiser Permanente~$100B Revenue
DNS
Self-managed (kp.org)
CDN/WAF
F5 BIG-IP (on-prem)
Email
Proofpoint
Cloudflare?
No
Select Medical~$7B · Specialty/Rehab
DNS
Cloudflare
CDN/WAF
Full Cloudflare
Email
Unknown
Cloudflare?
FULL STACK
Top 5 Cloudflare Sales Entry Points
#1 — WAF + Bot MgmtCloudflare WAF + Bot Management
No WAF, bot mgmt disabled on the main site of the world's largest for-profit hospital company. XSS and SQLi pass through. 35M+ annual patient encounters. HIPAA compliance risk.
Talk Track
"3 of your 4 closest competitors already use Cloudflare for this. Your DAM system at hcadam.com already has proper security headers through Cloudflare — your main patient-facing site doesn't."
Urgency
IMMEDIATE
#2 — Network DDoSMagic Transit
44 IPv4 prefixes (AS14626) with zero DDoS scrubbing. Only Lumen + AT&T basic transit filtering. Patient-critical systems on these IPs — a volumetric attack hits the network directly.
Talk Track
"Your ASN is still registered as 'Columbia-HCA' from 1994. Your network hasn't had a security refresh in 30 years. Magic Transit protects all 44 blocks."
Urgency
HIGH
#3 — Zero Trust / SASECloudflare One
180+ hospitals, 275K employees. 4 Okta tenants but internal services (vpn, citrix, adfs, sso) still publicly resolvable. Not a full ZT architecture. Cloudflare Tunnel + Access makes them invisible.
Talk Track
"Your VPN is on a hidden domain (ehc.com) but we found it in 30 seconds through your TLS cert. Cloudflare Tunnel eliminates that exposure entirely."
Urgency
STRATEGIC
#4 — AI GatewayCloudflare AI Gateway
Azure OpenAI (likely), Google Cloud Health AI (confirmed 2021 partnership), Lovable AI, Dynatrace Davis AI, Infor Coleman AI. Multiple AI vendors with no unified control plane.
Talk Track
"You have at least 5 AI vendors. AI Gateway gives you one place for rate limiting, caching, cost management, and HIPAA-compliant logging across all of them."
Urgency
STRATEGIC
#5 — DNS ConsolidationCloudflare DNS + Email Security
5 different DNS providers (Azure, self-managed medcity.net, AWS Route 53, MarkMonitor, Akamai via domains). No DNSSEC anywhere. DMARC on quarantine, not reject. SPF soft fail.
Talk Track
"Your billing subsidiary Parallon already chose Cloudflare. Your primary domain has weaker email protection than your internal medcity.net domain. Let's fix that."
Urgency
COMPETITIVE