NHS's Open Source Retreat: A Misguided Response to AI Security Scanners

Introduction: A Controversial Decision

The UK's National Health Service (NHS) is reportedly planning to shutter almost all of its public open-source repositories, citing concerns that sophisticated Large Language Model (LLM) tools—such as Anthropic's Mythos—can now identify security vulnerabilities more effectively than ever before. This move, first reported by technology commentator Terence Eden, has sparked sharp criticism from the open-source community and raised questions about the NHS's commitment to transparency and collaboration.

While the NHS claims the decision is a precautionary measure to protect patient data and system integrity, many argue that it is an overreaction that will stifle innovation, hinder public accountability, and contradict existing government policies.

Background: What's at Stake?

Terence Eden, a former NHSX employee who helped oversee the open-source release of the UK's COVID-19 contact tracing app, outlined the situation in a detailed critique. According to Eden, the NHS's new guidance effectively closes the vast majority of its public code repositories. This would remove access to datasets, internal tools, guidance documents, research prototypes, and front-end design components that have long been available for public scrutiny and reuse.

Eden bluntly disagrees with the rationale behind the decision. He argues that most of these repositories pose no realistic security threat, even with the improved scanning capabilities of modern AI. The core issue, as he sees it, is a failure to differentiate between sensitive, high-risk code and the routine, low-risk materials that form the bulk of NHS open-source contributions.

The True Nature of NHS Open-Source Repositories

Contrary to the assumption that the NHS releases large amounts of mission-critical, vulnerable software, the repositories in question are overwhelmingly mundane. They include:

• Publicly available statistical datasets
• Internal workflow scripts for administrative tasks
• Guidance documents for clinicians and patients
• Research tools and prototypes used in academic studies
• Front-end design libraries (such as the NHS.UK design system)

None of these contain sensitive algorithms, patient data, or infrastructure code that could directly lead to a security breach. Even if an LLM could identify a minor bug in a documentation generator script, the impact would be negligible. As Eden emphasizes, “There is nothing in them which could realistically lead to a security incident.”

Historical Precedent: Open Source During a Pandemic

To underscore his point, Eden recalls his tenure at NHSX during the height of the COVID-19 pandemic. At that time, the team deliberately open-sourced the COVID-19 Contact Tracing App the very moment it was publicly released. This was a nationally mandated application, installed on millions of phones, and subject to intense scrutiny from hostile state actors and security researchers worldwide.

Despite the app's high profile and the potential for catastrophic vulnerabilities, the open-sourcing of its code, architecture, and documentation resulted in zero security incidents. Instead, it fostered public trust, allowed independent audits, and enabled rapid improvements from the developer community. Eden argues that if such a sensitive app could be safely shared, the vast majority of the NHS's current repositories—which are far less critical—should pose no risk whatsoever.

Contradicting the UK's Own Tech Code of Practice

A further irony is that the new guidance appears to fly in the face of the UK government's official Technology Code of Practice. Point 3 of that code, titled “Be open and use open source,” explicitly encourages public sector bodies to:

1. Publish code and data under open licenses
2. Use open-source solutions over proprietary ones where possible
3. Engage with the wider open-source community to improve security and quality

The NHS’s decision to close repositories directly violates this principle. Critics argue that rather than retreating from open source, the NHS should invest in better security practices—such as automated scanning, penetration testing, and responsible disclosure policies—that allow code to remain open while mitigating risks.

Conclusion: A Blow to Transparency and Innovation

The NHS's plan to go to war with open source over the advancement of LLM vulnerability scanners is, in the view of many experts, a misguided overcorrection. While it is prudent to review security practices in an era of increasingly capable AI, a blanket closure of repositories is not the answer. It would deprive the public of valuable resources, undermine the collaborative spirit that has driven many recent healthcare innovations, and contradict established government policy.

As Terence Eden and others have pointed out, the solution lies not in hiding code, but in embracing responsible open-source governance. By focusing on risk-based assessments, improving scanning tools, and maintaining transparency, the NHS can protect its systems without sacrificing the immense benefits of open collaboration.

For now, the tech community watches and waits to see whether the NHS will reconsider its stance—or press ahead with a decision that many believe will harm, rather than help, the security and efficacy of the UK's digital health ecosystem.