NHS's Open Source Reversal: Prudence or Misstep in the Age of AI Security Scanners?

Introduction

The United Kingdom's National Health Service (NHS) has long been a beacon of public service, but its recent policy shift regarding open-source software has sparked intense debate. According to reports, the NHS is preparing to close nearly all of its public code repositories — a move reportedly driven by the increasing sophistication of large language model (LLM) tools, such as Anthropic's Mythos, which can now automatically detect security vulnerabilities in source code. This decision has drawn sharp criticism from open-source advocates, notably Terence Eden, who previously worked at NHSX during the COVID-19 pandemic.

The Decision: A Shut-Down of Public Repositories

The NHS currently maintains hundreds of public repositories on platforms like GitHub, encompassing datasets, internal tools, guidance documents, research instruments, front-end design components, and much more. The new guidance, first reported by Terence Eden, would effectively take the vast majority of this code offline. The stated rationale is that leaving code exposed makes it easier for adversaries to discover and exploit vulnerabilities — especially with AI-powered scanning tools that can parse through thousands of lines of code in seconds.

However, critics argue that the risk is vastly overstated. The bulk of the NHS's open-source projects are not critical infrastructure or security-sensitive applications. They are shared resources that enable collaboration, transparency, and innovation. Closing them, opponents say, could stifle research, hinder interoperability, and damage trust in the NHS's commitment to openness — a principle that has been enshrined in several government technology policies.

Terence Eden's Perspective: A Case for Openness

Terence Eden, a noted open-source expert who served at NHSX during the height of the pandemic, has been vocal in his disagreement with the closure. He points out that the overwhelming majority of NHS code repositories are not meaningfully affected by advances in security scanning. They are not the kind of software that, if compromised, would lead to a security incident. "There is nothing in them which could realistically lead to a security incident," Eden stated firmly.

The COVID-19 Contact Tracing App Example

To illustrate his point, Eden reminds us of the NHS's own successful open-source precedent: the COVID-19 Contact Tracing app. During the pandemic, NHSX made the deliberate decision to open-source the app from the very moment it was publicly available. This was a nationally mandated application, installed on millions of phones, and subject to intense scrutiny from hostile state actors. Despite the high stakes — and despite publishing not only the code but the architecture and full documentation — the open-source code caused zero security incidents.

Eden's argument is that transparency, when practiced responsibly, does not automatically lead to increased risk. In fact, it often strengthens security by allowing a wider community to audit the code and report issues before they can be exploited.

A Direct Contradiction with the UK's Tech Code of Practice

The new NHS guidance also appears to fly in the face of the UK government's own stated policies. The Technology Code of Practice, which applies to all public sector organisations, explicitly includes Point 3: "Be open and use open source". This directive insists that code should be open by default, arguing that openness drives innovation, reduces duplication, and improves security through community oversight.

By moving to close its repositories, the NHS appears to be walking away from this principle. Critics argue that this sets a dangerous precedent not only for the NHS but for other public bodies that may follow suit. The decision could undermine years of progress in building a culture of open collaboration within government technology.

The Broader Context: AI and the Changing Threat Landscape

It is worth noting that the NHS's concern is not entirely unfounded. LLM-based security scanners have indeed made it easier to find vulnerabilities in code, and some organisations are reconsidering their open-source strategies. However, security experts generally agree that the response should not be to hide code, but to adopt better security practices: regular audits, automated vulnerability scanning before publication, and responsible disclosure policies. The NHS could leverage its own open-source community to help identify and fix issues, rather than retreating behind closed doors.

Moreover, the repositories in question are not all active code projects. Many are static datasets, outdated tools, or reference implementations. The risk they pose is minimal, especially when compared to the benefits of continued sharing and collaboration.

Conclusion: A Need for Balanced Decision-Making

The NHS's apparent decision to shut down its open-source repositories represents a significant and controversial pivot. While the threat of AI-powered vulnerability scanning is real, the blanket closure of almost all repositories is a blunt instrument that ignores the nuanced reality of the code involved. The successful precedents of the COVID-19 app and the existing policy commitments to openness suggest that a more measured approach — one that maintains transparency while enhancing security — would better serve the public interest.

As AI tools continue to evolve, public sector organisations will need to develop tailored strategies that balance security with the proven benefits of open source. The NHS, as one of the world's largest healthcare providers, should lead by example, not retreat from a model that has already delivered results. The conversation is far from over, but for now, the open-source community watches with concern as the NHS goes to war — not with open source, but perhaps with its own best practices.

This article is based on reporting by Terence Eden and discussions surrounding the NHS's open-source policy. The original article was published on his personal blog.