NHS England is pulling its publicly available software from view due to concerns over AI models capable of hacking. The move reverses long-standing open-source policies for taxpayer-funded code. Security experts call the decision unnecessary and counterproductive.
NHS England has issued new guidance requiring all source code repositories to be made private by default. The policy demands that existing and future software be kept behind closed doors unless explicitly approved for public access. Staff face a deadline of 11 May to privatize the code, which was previously shared openly on platforms like GitHub because it was created with public money. This allows other organizations to reuse it and avoid duplicating efforts, as per prior NHS service standards. The guidance cites rapid AI advancements, specifically Anthropic's Mythos model, as the trigger. Last month, Mythos gained attention for discovering flaws in software, potentially enabling hackers to exploit systems. The document warns that public repositories increase risks of disclosing code details that AI could analyze and exploit. “Public repositories materially increase the risk of unintended disclosure of source code... particularly given rapid advancements in AI models... (e.g. developments such as the Mythos model),” it states. A default-closed posture will remain while impacts are assessed. However, the UK government-backed AI Security Institute (AISI) found Mythos capable only of attacking small, weakly defended systems, posing no threat to secure software or networks. Terence Eden, a former UK Civil Service expert on public data access, criticized the policy as illogical. “Is it possible that Mythos will scan a repository and find a bug? Yes, 100 per cent likely. Is that going to be a bug that causes a security issue in a live NHS service somewhere? Almost certainly not,” Eden said. He argued open-source code is more secure due to community scrutiny and noted that NHS code, already public for years, exists in numerous backups. “Shutting it down now is very much bolting the stable door after the horse has gone,” he added. An NHS England spokesperson explained: “We are temporarily restricting access to some NHS England source code to further strengthen cyber security while we assess the impact of rapid developments in AI models. We will continue to publish source code where there is a clear need.”
