UK NHS Scrambles to Conceal Software Amid AI Hacking Concerns

NHS England is swiftly retracting all software it developed from public access, due to concerns over potential hacking threats from advanced artificial intelligence. However, security experts deem this decision unnecessary and counterproductive.

The software produced by NHS has historically been open source, available on GitHub, allowing organizations to innovate and enhance services without duplicating efforts due to funding from public resources.

In light of recent developments, NHS England has issued new directives shared with staff. According to New Scientist, existing and forthcoming software must remain private. “All source code repositories must be private by default. Public access is only permitted under exceptional circumstances,” the guidance states, with a deadline for compliance set for May 11.

Recent reports highlighted that the AI system developed by Anthropic, called Mythos, could detect vulnerabilities in nearly any software, raising concerns about potential cyber breaches.

NHS England cites Mythos as a primary motivator for these new regulations, warning that public repositories heighten the risk of exposing sensitive information that savvy hackers may exploit. “This directive establishes a default closed posture for code while ensuring that organizations evaluate the impact of these changes,” they wrote.

Contrarily, the UK government-backed AI Security Institute (AISI) has found that Mythos primarily targets “small, poorly defended and vulnerable corporate systems,” indicating that truly secure software remains unharmed.

The recent measures contradict NHS service standards, mandating that software originating from public resources be open source. “Public services, funded by taxpayers, should remain reusable and modifiable by others unless deemed necessary otherwise,” as outlined in previous guidelines.

Open source software enhances trust and transparency in public services. The Horizon IT system utilized by the UK Post Office, which caused unjust accusations of theft, might have avoided turmoil if its code had been publicly accessible. Read more about the scandal here.

Terrence Eden, a British civil servant with experience in public data accessibility, criticized the recent move as illogical. “Is it possible for Mythos to scan a repository and identify a bug? Absolutely. But will it lead to a security issue in running NHS services? Highly unlikely,” Eden asserts. “This reaction seems to reflect a panic based on exaggerated fears about Mythos’s capabilities.”

Eden argues that open source solutions are actually more secure due to greater scrutiny from the community. Furthermore, NHS software has long been publicly accessible, meaning it exists in various backups regardless of new restrictions.

“Restricting access now is akin to closing the barn door after the horse has bolted,” Eden comments. “NHS staff are perplexed, uncertain about where this policy aims to lead.”

A spokesperson for NHS England stated: “To bolster our cybersecurity, we are temporarily limiting access to certain NHS England source code while we assess the rapidly evolving AI landscape. We will continue to share source code publicly where necessary.”