Breaking: NHS to Close Most Open Source Repositories

The UK’s National Health Service (NHS) is moving to shut down nearly all of its public open source repositories, citing heightened risks from advanced LLM tools like Anthropic’s Mythos that can automatically detect security flaws. The decision, first reported by Terence Eden, has sparked immediate backlash from open source advocates.

“The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They’re mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.”
— Terence Eden, former NHSX staff member

Eden, who helped open source the NHS Covid Contact Tracing app during the pandemic, argues the move is both unnecessary and contradictory to established UK policy. He notes that even sensitive national apps were safely shared as open source without causing a single incident.

Background

The NHS currently hosts hundreds of repositories on platforms like GitHub, ranging from clinical guidelines to internal development tools. The new directive would remove public access to almost all of them, leaving only a handful of critical security-related projects.

This reversal marks a dramatic shift from the NHS’s previous stance during the COVID-19 pandemic, when it championed transparency. The contact tracing app—used by millions and scrutinized by hostile actors—was published in full, including code, architecture, and documentation.

“When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.”
— Terence Eden

Furthermore, the guidance directly contradicts the UK’s Tech Code of Practice point 3, which explicitly says: “Be open and use open source.”

What This Means

The closure would undermine decades of trust built between the NHS and the developer community. Open source contributors rely on these repositories to audit, improve, and extend NHS tools—many of which are used in critical care settings.

By hiding its code, the NHS risks slowing innovation and reducing the scrutiny that helps catch bugs before they reach patients. Security experts warn that security through obscurity is rarely effective and often backfires.

The contradiction with the UK’s own Tech Code of Practice could also create legal and policy friction. The government has publicly committed to openness in technology, yet its largest public body is moving in the opposite direction.

Tech Code of Practice Contradiction

The UK’s Technology Code of Practice, which governs all government digital services, includes a clear mandate: point 3 states that public sector bodies should “be open and use open source.” The NHS’s new policy appears to ignore this requirement entirely.

Eden’s report highlights the irony: “This new guidance is in direct contradiction to the UK’s Tech Code of Practice point 3 ‘Be open and use open source’ which insists on code being open.”

As of press time, the NHS has not issued a public statement explaining the rationale or responding to the criticism. Developers and open source advocates are calling for an immediate reversal and a transparent review process.