NHS England rushes to hide software over AI hacking fears

NHS England has abruptly reversed its longstanding policy of making publicly funded software open-source, ordering all existing and future code repositories to be made private by default. The directive, which must be implemented by May 11, is driven by concerns over emerging artificial intelligence tools like Mythos, which are believed to pose new cybersecurity risks by potentially enabling hackers to analyze and exploit publicly available source code. NHS England’s new guidance emphasizes a “default-closed posture” for software to prevent unintended disclosures of sensitive technical details. The decision marks a significant departure from previous NHS standards that mandated transparency and openness to foster collaboration, reduce duplication, and build public trust. Open-source software has traditionally allowed other organizations to improve upon NHS tools and has been seen as a safeguard against errors and malpractice, as demonstrated by past scandals such as the Post Office’s Horizon IT system. Critics argue that restricting access could hinder innovation and reduce accountability in public services. However, security experts and organizations like the UK government-backed AI Security Institute (AISI) have challenged the rationale behind the NHS move. AISI’s investigation into Mythos found that while the AI model could target small, vulnerable systems, it posed little threat to well-secured software or networks. Experts warn that the policy may be an overreaction that could stifle collaboration without significantly improving cybersecurity. Terence Eden, a former civil servant experienced in public data access, described the NHS’s approach as lacking logical basis, noting that the risk of AI scanning code repositories to find bugs is inevitable but manageable through other means. The NHS’s shift highlights the growing tension between maintaining cybersecurity in an era of advanced AI capabilities and preserving the principles of openness and transparency in publicly funded digital services. How this balance will be struck remains a critical question for the future of public sector software development in the UK.