The National Health Service (NHS) in England has long championed an open-source approach to the software it funds, arguing that public money should result in publicly available code. This stance, however, is now being challenged as advanced AI-driven hacking tools—most notably a model referred to as Mythos—raise fresh concerns about the security implications of fully open repositories. Below is a detailed look at why the policy shift is happening, how it differs from past practice, and what it could mean for patients, developers, and the wider technology ecosystem.
Background: The NHS Open-Source Mandate
Since the early 2010s, NHS England has promoted guidelines that stipulate any software written with taxpayer funds must be released under an open-source license. The rationale is three-fold:
- Transparency: Allowing public scrutiny of code fosters trust and lets security researchers spot vulnerabilities early.
- Collaboration: Hospitals, GP surgeries, and health-tech startups can reuse, adapt, and improve the software without paying licensing fees.
- Cost Efficiency: Open code discourages vendor lock-in and lowers long-term maintenance costs across the NHS.
The Rise of AI-Driven Cyber Threats
While open code supports collaboration, it also gives malicious actors the same access. Recent years have seen the emergence of AI models capable of:
- Scanning thousands of repositories in minutes to identify exploitable patterns
- Auto-generating targeted payloads that adapt to specific system architectures
- Bypassing conventional intrusion-detection systems through rapid mutation
These capabilities blur the line between legitimate security research and automated exploitation. The Mythos model, in particular, has reportedly demonstrated an ability to ingest open-source healthcare code and generate proof-of-concept attacks with minimal human input.
Who—or What—Is Mythos?
Mythos is not a single freely downloadable tool but a privately traded AI system among cyber-criminal networks. According to threat-intelligence analysts:
- It leverages large language models fine-tuned on vulnerability databases.
- It can transform plain-language goals (e.g., “find a path to patient data”) into step-by-step exploitation scripts.
- Its output evolves quickly, making static defenses obsolete within hours.
The existence of Mythos has forced security teams to rethink the wisdom of exposing blueprints of critical healthcare infrastructure online.
The New Policy Direction
NHS England is reportedly drafting guidance that would exempt “high-risk” codebases from mandatory open release. While final wording is still under consultation, early drafts suggest:
- Systems connected to patient-identifiable information, prescription services, or critical device interfaces may remain closed source.
- Security audits will be conducted by vetted third parties rather than the general public.
- Code may still be shared under strictly controlled licenses—for example, to academic researchers who agree to non-disclosure terms.
Potential Impacts
Innovation & Collaboration
An open-source freeze could slow the pace at which trusts and startups build on NHS code. Small vendors that rely on free access might need to negotiate costly agreements or pivot to alternative platforms.
Security Posture
Keeping code private can reduce “easy wins” for attackers, but it may also limit the number of white-hat researchers capable of discovering bugs. The NHS will need robust internal review processes to avoid introducing security through obscurity.
Legal & Ethical Considerations
Taxpayers fund the development of this software, so moving away from openness raises questions about accountability and public ownership. Any new policy will have to reconcile patient safety with democratic oversight.
Balancing Openness and Safety: Possible Paths Forward
Experts suggest hybrid strategies that preserve transparency while mitigating risk:
- Time-delayed Releases: Open-source code only after a defined period and after critical vulnerabilities are patched.
- Red-Team Bounties: Pay ethical hackers to probe private code before public disclosure, mirroring programs run by big tech firms.
- Component-Level Openness: Release generic modules (e.g., UI components) openly while keeping security-sensitive connectors private.
What Comes Next?
The NHS finds itself at a crossroads between its historical commitment to open technology and the escalating sophistication of AI-enabled cyber threats. Whatever policy finally emerges, it will likely shape how public-sector organizations worldwide treat the tension between transparency and security in the age of artificial intelligence. Stakeholders—from clinicians and coders to policymakers and patients—should follow developments closely, as the outcome will influence not only how healthcare software is built but also who ultimately controls and secures it.
