NHS England Restricts Access to Software Code Over AI Security Concerns

NHS England is restricting public access to its software code in response to perceived hacking risks from artificial intelligence models. The organization has issued guidance to staff, requiring that all source code repositories be private by default.

This change applies to existing and future software, with public access allowed only for explicit and approved needs. The guidance specifies a deadline of May 11 for making repositories private. It references advancements in AI, including the Mythos model developed by Anthropic, as increasing the risk of exploitation through code ingestion and inference.

Previously, NHS software was made open-source on platforms like GitHub, as it is created with public funds, allowing other organizations to reuse and improve it.

Security experts have stated that the policy change is unnecessary. Terence Eden, who has experience in the UK Civil Service on open data access, said the move lacks logical sense. He noted that open-source software is more secure due to community checks and that much NHS software is not security-critical.

Eden added that since the code has been public for years, it remains available in backups and downloads.

The new measures contradict the NHS service standard, which requires software produced with public money to be open-source to avoid duplication and promote better services. For example, public code for the Horizon IT system might have prevented a prolonged scandal involving wrongful accusations.

A spokesperson for NHS England stated that the restriction is temporary to strengthen cyber security while assessing AI developments. The organization plans to continue publishing code where there is a clear need.