![\"\"](\"https:\/\/www.europesays.com\/ie\/wp-content\/uploads\/2026\/05\/SEI_295369747.jpg\")
<\/p>\n<\/p>\n
Software produced by the National Health Service is usually open to the public<\/p>\n
Mareks Perkons\/Alamy<\/p>\n<\/p>\n
NHS England is hurriedly withdrawing all the software it has written from public view because of the perceived risk of hacking from cutting-edge artificial intelligence. Security experts say the move is unnecessary and counterproductive.<\/p>\n
Software produced by the National Health Service has previously been made open-source and listed on GitHub<\/a> because it is created with public money. This allows other organisations to build upon it and make better services more cheaply without duplicating effort.<\/p>\n But NHS England has issued new guidance to staff, which has been shared with New Scientist, that demands existing and future software be pulled from public view and kept behind closed doors. \u201cAll source code repositories must be private by default. Repositories must not be public unless there is an explicit and exceptional need, and public access has been formally approved,\u201d says the new guidance. The deadline for making code private is 11 May.<\/p>\n Last month, an AI created by Anthropic called Mythos was widely reported to be capable of discovering flaws in virtually any software,<\/a> potentially allowing hackers to break into systems running it.<\/p>\n NHS England\u2019s guidance specifically points to Mythos as the cause for the new measures. \u201cPublic repositories materially increase the risk of unintended disclosure of source code, architectural decisions, configuration detail, and contextual information that may be exploited \u2013 particularly given rapid advancements in Al models capable of large-scale code ingestion, inference, and reasoning (e.g. developments such as the Mythos model),\u201d it reads. \u201cThis red line establishes a default-closed posture for code while the organisation assesses the impact of these changes and ensures that any public publication of code is a deliberate, reviewed, and justified decision.\u201d<\/p>\n However, the UK government-backed AI Security Institute (AISI) investigated Mythos<\/a> and found it to be capable of attacking only \u201csmall, weakly defended and vulnerable enterprise systems\u201d, concluding there was no indication that a really secure bit of software or network would be at risk.<\/p>\n The new measures go against the NHS service standard, which demands that staff make any software they produce open-source. \u201cPublic services are built with public money. So unless there\u2019s a good reason not to, the code they\u2019re based [on] should be made available for other people to reuse and build on. Open-source code can save teams [from] duplicating effort and help them build better services faster,\u201d says the previous guidance<\/a>.<\/p>\n Open-source software for public services also creates greater trust and transparency. For instance, if the code for the Horizon IT system that led the UK\u2019s Post Office to pursue innocent people for alleged theft and fraud<\/a> had been public, then the scandal might not have continued for years.<\/p>\n