NHS England has announced plans to remove its open-source software repositories from public view, citing the
emergence of advanced “computer-hacking” AI models such as Mythos. The decision has ignited a vigorous debate
among cybersecurity experts, clinicians, developers, and patient-rights advocates. Below, we explore the catalysts
behind the policy, examine the arguments on each side, and consider whether concealing code will truly enhance—
or inadvertently undermine—security, transparency, and efficiency within the National Health Service.
What Prompted the Withdrawal?
According to NHS England officials, large language models trained on publicly available code could accelerate the
discovery of vulnerabilities. By making its software private, the NHS hopes to reduce the attack surface
hackers might exploit. A confidential briefing cited Mythos—a model reportedly optimized for offensive
cybersecurity research—as a key threat vector. NHS leaders argue that proactive isolation of codebases is a
necessary defensive step while the AI landscape remains volatile.
Opposition Voices: Transparency vs. “Security Through Obscurity”
Critics are unconvinced. Open-source advocates stress that many vulnerabilities are uncovered and fixed precisely
because the community can audit and improve code. They argue the withdrawal:
-
Reduces accountability—external researchers lose visibility into how health-critical systems
process data. -
Slows innovation—NHS trusts, startups, and academic partners rely on shared code to prototype
new clinical tools. -
Creates a false sense of safety—attackers often breach systems via unpatched servers,
misconfigurations, or social engineering rather than by poring over public code.
Does “Hiding” Source Code Improve Security?
In security circles, the idea that concealment alone can protect software is often dismissed as
security through obscurity. Modern best practice favors:
- Regular penetration testing
- Coordinated vulnerability disclosure programs
- Rapid patch cycles and automated dependency management
Several cybersecurity researchers point out that state-of-the-art exploit development rarely depends on full
source code; attackers can reverse-engineer binaries, monitor network traffic, or target third-party integrations.
Consequently, removing code visibility may only marginally slow determined adversaries while
simultaneously hampering legitimate audits of patient-facing systems.
Impact on Collaboration and Public Trust
The NHS is one of the world’s largest publicly funded health systems. Its open-source initiatives have historically
allowed:
- Local trusts to fork and customize electronic health record components
- Research groups to validate data-handling practices
- International partners to replicate successful digital-health models
By moving behind closed doors, the NHS risks alienating these stakeholders and weakening the
trust framework that underpins large-scale data sharing in healthcare.
Possible Middle-Ground Solutions
Several experts propose compromise strategies, including:
- Maintaining public read-only mirrors while restricting write access
- Segmenting repositories so that sensitive configurations remain private but core logic stays open
- Implementing “zero-knowledge” vulnerability reporting channels that encourage disclosure without full code
exposure
These approaches aim to balance the NHS’s need for security with the broader community’s call for transparency.
What Happens Next?
NHS England has signaled that a formal review of its open-source stance will occur later this year. In the
meantime, advocacy groups are mobilizing to demand public consultation and evidence-based risk assessment. Given
the stakes—patient safety, data privacy, and the future of digital healthcare infrastructure—the outcome of this
debate could set a precedent for public institutions worldwide grappling with the rapid rise of offensive AI
capabilities.
Bottom line: Withdrawing open-source code may offer short-term reassurance, but long-term security
and innovation are more likely to flourish when visibility, collaboration, and robust engineering disciplines are
prioritized over secrecy.
