Mythos AI hacking fears prompt UK health service crackdown on open-source code
NHS England has ordered development teams to make code repositories private by May 11th as it reviews cybersecurity risks linked to advanced AI models, prompting backlash from open-source advocates.
Earlier this month, NHS England issued new internal guidance requiring thousands of code repositories to be made private by default.
Under the new policy, reported by a handful of UK-based news outlets, including New Scientist, repositories “must not be public unless there is an explicit and exceptional need” and formal approval from the Engineering Board.
A deadline of May 11th, 2026, has been set for compliance, with teams asked to request exemptions by May 6th.
The shift marks a significant change in approach. NHS-developed software has often been released as open source on platforms such as GitHub, allowing other organizations to reuse and build on tools without duplicating effort.
“Temporary move designed to strengthen cybersecurity”
In a statement to Digital Health News, an NHS England spokesperson said the move was temporary and aimed at strengthening cybersecurity.
“We are temporarily restricting access to some NHS England source code to further strengthen cybersecurity while we assess the impact of rapid developments in AI models,” they said, adding that code would continue to be published “where there is a clear need.”
Strong password generator
The internal guidance highlights concerns that public repositories could expose sensitive technical data, particularly given “advancements in AI models capable of large-scale code ingestion, inference, and reasoning (e.g., developments such as the Mythos model).”
In December 2025, NHS England removed open source policy pages from its websites without any announcement or explanation to the public.
“Disproportionate reaction”
Critics, however, argue the move is disproportionate. In a blog post titled NHS Goes To War Against Open Source, a former NHSX adviser, Terence Eden, said most repositories contain relatively low-risk material.
“There is nothing in them which could realistically lead to a security incident,“ he argued, describing them as largely consisting of datasets, internal tools, and front-end resources.
Eden also pointed to the decision to open-source the Covid contact tracing app during the pandemic as evidence that transparency and security can coexist.
Despite being deployed nationally and subject to intense scrutiny, he noted, publishing the code “caused zero security incidents.”
He further questioned the practicality of reviewing and restricting thousands of repositories, arguing that if advanced AI systems are as capable as they purport to be, then it is too late anyway.
“If Mythos really is the ultimate hacker, hiding the code now does nothing. It has likely already retained copies of the repositories.”
Former NHSX adviser, Terence Eden.
Petition formed against NHS move
Opposition has also emerged in the form of an open letter hosted by Keep Things Open, which has attracted hundreds of signatures.
The petition argues that open-source development acts as an immune system booster to NHS security by enforcing higher standards and continuous scrutiny.
“Making code open source requires more work than keeping it closed. That hard work is the point. It requires a higher bar of quality. It requires processes to proactively find, fix, and monitor for vulnerabilities. It requires identifying risk and putting barriers in place to contain any damage when things go wrong.”
“But it works like the human immune system: being exposed to threats hardens the attack surface."
Unlock more exclusive Cybernews content on YouTube.
