AdamMay 1
Terence Eden’s Blog

NHS Goes To War Against Open Source

https://shkspr.mobi/blog/2026/05/nhs-goes-to-war-against-open-source/

The NHS is preparing to close nearly all of its Open Source repositories.

Throughout my time working for the UK Government - in GDS, NHSX, i.AI, and others - I championed Open Source. I spoke to dozens of departments about it, wrote guidance still in use today, and briefed Ministers on why it was so important.

That's why I'm beyond disappointed at recent moves from NHS England to backtrack on all the previous commitments they've made about the value of open source to the UK's health service.

It's rare that multiple people leak the same story to me, but that's what gives me confidence that lots of people within the NHS are aghast at this news.

A few days ago, I was sent this quote which was attributed to a senior technical person in NHS England.

We are obviously looking at things like Mythos, which is more sophisticated at finding vulnerabilities. In the next week or so, we will be changing our tack on coding the open and making our code public until we're on top of that risk.

Most of our repos, unless they're essential, will be removed for security reasons.

As I've written before, this is not the correct response to the purported threat by Mythos. Neither the AI Safety Institute nor the NCSC recommend this action. While there may be some increase in risk from AI security scanners, to shutter everything would be a gross overreaction.

Nevertheless, that's what the NHS is preparing to do.

On the 29th of April, guidance note SDLC-8 was sent out. Here's what it says:

The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They're mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.

When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.

Furthermore, this new guidance is in direct contradiction to the UK's Tech Code of Practice point 3 "Be open and use open source" which insists on code being open.

Similarly, the Service Standard says:

There are very few examples of code that must not be published in the open.

The main reason for code to be closed source is when it relates to policy that has not yet been announced. In this case, you must make the code open as soon as possible after the policy is published.

You may also need to keep some code closed for security reasons, for example code that protects against fraud. Follow the guidance on code you should keep closed and security considerations for open code.

There's also the DHSC policy "Data saves lives: reshaping health and social care with data":

Commitment 601 – completed May 2022

We will publish a digital playbook on how to open source your code for health and care organisations

And, here's NHS Digital's stance on open source in their Software Engineering Quality Framework:

The position of all three of these documents is that we should code in the open by default.

All of which is reflected in the NHS service standard:

Public services are built with public money. So unless there's a good reason not to, the code they're based should be made available for other people to reuse and build on.

All of which is to say - open source should be baked into the DNA of the NHS by now. There are thousands of NHS repositories on GitHub. The work undertaken to assess all of them and then close them will be massive. And for what?

Even if we ignore the impracticality of closing all the code - it is too late! All that code has already been slurped up. If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.

And if it were both practical and effective to hide source code - that doesn't matter. These AI tools are just as effective against closed-source. They can analyse binaries and probe websites with ease.

There are tens of thousands of NHS website pages which refer to their GitHub repos - will they all need to be updated? What's the cost of that?

I've no idea what led to NHS England making this retrograde decision - so I've send a Freedom of Information request to find out.

I am convinced that closing all their excellent open source work is the wrong move for the NHS. I hope they see sense and reverse course.

Until then, I've helped make sure that every single NHS repository has been backed up and, because the software licence permits it, can be re-published if the original is closed.

In the meantime, you should email your MP and tell them that the NHS is wrong to shutter its world-leading open source repositories.

Don't let them take away your right to see the code which underpins our nation's healthcare.

Further Reading

#government #nhs #OpenSource #politics
NHS Goes To War Against Open Source

The NHS is preparing to close nearly all of its Open Source repositories. Throughout my time working for the UK Government - in GDS, NHSX, i.AI, and others - I championed Open Source. I spoke to dozens of departments about it, wrote guidance still in use today, and briefed Ministers on why it was so important. That's why I'm beyond disappointed at recent moves from NHS England to backtrack on…

Terence Eden’s Blog
May 1 at 11:44amWeb
Show threadMatt 🔶 (LordMatt)May 1
@blog When will the suits learn that security through obscurity is no security at all?
Show threadMartin HamiltonMay 1
@lordmatt @blog I'm getting a strong vibe here that we should do everything within our power to prevent senior managers from being taken out to lunch by genAI salesbros 
Show threadMatt 🔶 (LordMatt)May 1
@m @blog Quite likely
Show threadKim Spence-Jones 🇬🇧😷May 2
@lordmatt @m @blog
Or Palantir salesdroids
Show threadBruce HeerssenMay 2

@lordmatt

Perhaps it not security that concerns them.

Show threadMatt 🔶 (LordMatt)May 3
@bruce Maybe, although in my experience, managers tend to have very little understanding of how the technology actually works, but somehow are expected to make sound decisions about said technology.
Show threadBruce HeerssenMay 3

@lordmatt

True, and there's likely much of that in play. Managers also don't like risk, or damage to their reputations, so they often want to keep negative news out of the press. Even when disclosure leads to better long term outcomes.

Show thread🐧DaveNull🐧 ☣️pResident Evil☣May 1
@blog Do these people even realise you don't need to access to source code to exploit vulnerabilities? (fuzzing, scanning binaries for vulnerabilities, buying 0-day breaches… You name it…)
Show threadMatt 🔶 (LordMatt)May 1
@devnull @blog Exactly
Show threadFiona  May 1
@[email protected] NHS doing evil stuff… In other news: It’s Friday…

(Yeah, sucks, but so does everything about them.)
Show threaddoboprobodyneMay 1

@Fiona @blog begging your pardon; am I correct to understand from this post that you assert that everything about the #NHS sucks?

(For your reassurance, I don't intend to express an opinion of my own in this thread, only to clarify the meaning of what I have read).

#healthcare #medicine

Show threadFiona  May 1
@doboprobodyne @[email protected] Maybe not literally everything but a “healthcare service” who sees its primary job in preventing people from getting access to the care they need, even violates its own rules to do so, and does that with actual malice and not merely out of incompetence, is pretty fucking bad, yes!

See e.g. here for details.
RCGP guidance, bigotry, and incompetence leads UK Doctors to force trans adults to detransition – TransActual

Show threaddoboprobodyneMay 2
@Fiona @blog Understood, thank you.
Show threadKigeliaMay 1

@blog thanks for the post. Was an interesting read. It will be interesting to see how this progresses as NHSE winds down and is absorbed by the dept of health.

Does seem a move with little upside and lots of cost/confusion.

Show threadOyu F'kaMay 1

@blog Not at all surprised - the american ai corporations are eyeing up *all* our data in the UK, and they don't want any other software running alongside - they want to monopolise the access to data for their own profits.

Wes Streeting is a blairite and these people's main aim is personal enrichment, and shouldn't be trusted in positions of power.

Show threadƧƿѦςɛ♏ѦਹѤʞMay 3
@Oyu_Fka @blog 💯 ✔️
Show threadDr. Bruce SimpsonMay 3
@Oyu_Fka @blog Someone needs to bring the kryptonite as it's clear the Labour Party are allowing themselves to be corrupted by the secret lobbying that "big tech" have been engaging in as per The Grauniad's reportage. Unfortunately this issue is almost, almost enough to mandate supporting Scottish independence, in the name of future risk control. So far I just see TALK about data sovereignty. These politicians need to gain an education of the world they actually reside in.
Show threadOyu F'kaMay 3

@bms48 @blog Exactly - Starmer et al have been dazzled by the talk of 'big bucks' investment from the american tech-bros, (which, btw, has yet to materialise - not surprised...they are grifters in truth).

Labour are so desperate for success, this is just confirmation bias to them - result, they blindly accept their empty promises of what wonders AI will bring to the UK in the future.

They really do need to wake up to the real world....scary 👀.

Show threadPēteris KrišjānisMay 1
@blog I am getting so tired of utterly unfounded hyperbole around this tool. No, it is NOT that effective. Tech world has lost its integrity and calm in face of technical difficulties.
Show threadWittgenstein's Poker 🇵🇸 ☮️May 1

@blog

I remember when they rejected NHSBuntu and objected to the NHS element in the name.

Show threadTerence EdenMay 1
@linuxgnome they were entirely right to, IMO. That project, well intentioned as it was, had no right to use the word NHS in its name. It risked significant confusion about whether it was an official product or not.
I'd love to see Linux on every NHS workstation - but that wasn't a sensible way to do it.
Show threadDr. Bruce SimpsonMay 2
@blog This is all kinds of stupid. Fuzzing exists. https://us.artechhouse.com/Fuzzing-for-Software-Security-Testing-and-Quality-Assurance-Second-Edition-P1930.aspx
ARTECH HOUSE USA : Fuzzing for Software Security Testing and Quality Assurance, Second Edition

Show threadDr. Bruce SimpsonMay 2
@blog It probably also calls for a "Condescending Wonka", this is the closest I could find.
Show threadDr. Bruce SimpsonMay 3
@blog #epistemology #Wiktionary "The term was introduced into #English by #Scottish philosopher James Frederick #Ferrier ." the fundamental weakness and tragedy of the LLM is its inability to emulate #abductive reasoning well if at all. that is reasoning to the best expectation. regardless, they aid the brute forcing of #INFOSEC #vulnerabilities but at great #computational cost. TL;DR humans are better at defensive INFOSEC than "AI" but this is the answer no-one wants to hear right now.
Show threadDr. Bruce SimpsonMay 3
@blog defence-in-depth is still the most rational stratagem and it is cheaper than "AI" but requires architecting software correctly from the get-go with domain and process knowledge, the very #epistemological nature of which is largely alien to #LLM driven automation approaches. in other words, it requires human judgement by its very nature. the agentic approaches are imitative only, the LLMs do not and cannot "understand". #Lecun knows this as do #Hinton, yet #Amodei threw us all under a bus.
Show threadDr. Bruce SimpsonMay 3
@blog the #epistemology of the local #Linux vulnerability, #copyfail betrays itself. the door left open in AF_ALG by accident. Disclaimer: I used to handle #INFOSEC for #JPMorganChase in 2001 and was part of the #hacking & phone #phreaking #underground throughout the 90s before going legit, and well before my formal R&D work and Ph.D. I am primarily an internetworking specialist but cybersecurity is an adjacent field I have done small beer in.
Show threadNadia/Надя/नाडिया/娜迪亚/ ناديةMay 2
@blog The problem of disassembly is likely to be approached by encrypted executable formats, doubtless with the further poison pill of program loading being legally required to be conditional on cryptographic signatures from a radically restricted set of fascist dictatorship -approved signing keys, even for userspace applications. The malefactors behind all these things very much do have the worst of intentions, and will never openly declare war against open source no matter how many attacks from however many angles against it they simultaneously launch. They're if anything using confusion and denial about whether the attacks are connected and whether there's such a coordinated effort underway as a force multiplier.
Show threadViolet MadderMay 3

@blog

This is somebody letting the wolves in through the back door. Open source tools are the only real shot at independence, transparency, or safety. The alternative is letting in the technofascists-- any chance of privacy, GONE. All your medical data, right down the gullets of surveillance-hungry eugenicists.

Show threadBogdan BuduroiuMay 4
@blog This is unfortunate, the NHS' OpenNext.js Terraform Module was quite helpful, and was a good look into how someone runs OpenNext at scale.
Show threadRob LarterMay 4
@blog
It's not just the NHS. Similar things are happening in other public service areas. I was recently blocked from using an excellent, well-reviewed suite of freeware that is widely used across Europe because "As a government entity we need to go through approved sources, of which Adobe has passed DPIA checks, where others either have not undertaken the check or failed."
So I am now forced to use the less versatile and less intuitive commercial product, and my organisation has to pay for a licence for some software I'd prefer not to use.
It seems to me that the big software houses are amplifying security scares to people controlling public service IT as a way of maintaining their market.
Show threadTerence EdenMay 4

@PoLaRobs You're talking about two different things.

Of course you should only use software which is GDPR compliant.

If that open source product wants to be widely used then it needs to do the hard work to be accepted. There are plenty of vendors who re-sell FOSS precisely because they make sure it is safe to use and they provide legal liability.

Show threadRob LarterMay 4
@Edent
Yes, of course, but I didn't say anything about GDPR and I'm not talking about software that would be used to hold that sort of information.
Show threadTerence EdenMay 4
@PoLaRobs DPIA is a Data Protection Impact Assessment.
You assess software and services to make sure they meet GDPR requirements.
Show threadRob LarterMay 4
@Edent
So that is something any piece of software is expected to go through, regardless of how relevant the assessment is to its purpose?
Show threadTerence EdenMay 4

@PoLaRobs
I don't know where you work, but yes - I'd expect it to.
Anything that's running on your computer potentially has access to the data stored on your computer.
Of course you should check to see whether it leaks your spreadsheets to North Korea.
Similarly, if something goes wrong, who can you sue? Vendors have liability insurance, FOSS projects have disclaimers.

Is a random library from GitHub better than Adobe? Probably. Should you run without assessing it? Absolutely not!

Show threadRob LarterMay 4
@Edent
My approach to this is to read independent tech reviews before trying any software. Is that not sufficient in your view?
Show threadTerence EdenMay 4

@PoLaRobs no.

If you're working for an organisation - especially one trusted with people's data - then you need to actually assess the tools you use.

If you're working for yourself or on a small project then go ahead. But anything business critical, or that touches sensitive information, needs due diligence.