Defending Open Source in Healthcare: A Guide to Responding to Unjustified Repository Closures

Overview

In early 2025, reports emerged that the UK's National Health Service (NHS) was preparing to close almost all of its open-source repositories in response to advances in large language model (LLM) tools, such as Anthropic's Mythos, which had become more sophisticated at finding security vulnerabilities. This decision, as noted by open-source advocate Terence Eden, is widely seen as a disproportionate and misguided reaction.

This guide is designed for healthcare IT professionals, open-source maintainers, and policy advisors who may face similar pressures. It provides a structured approach to evaluate the real security risk of open-source code, counter unfounded fears with evidence, and advocate for maintaining open-source practices in accordance with existing government policies. By following these steps, you can help protect the transparency, collaboration, and innovation that open source brings to healthcare.

Prerequisites

Before diving into the steps, you should have a basic understanding of:

• Open-source software and repository management (e.g., GitHub, GitLab).
• Common security scanning tools and their limitations.
• The role of the NHS and similar public health organisations in software development.
• The UK's Technology Code of Practice, particularly point 3: "Be open and use open source."

No advanced programming or security expertise is required, but familiarity with these concepts will help you apply the guide effectively.

Step-by-Step Instructions

Step 1: Assess the Actual Risk of Your Repositories

Instead of reacting to generalised fears about LLM-powered scanning, start by categorising the repositories in your organisation. The majority of NHS code repositories, as Eden points out, are not meaningfully affected by any advance in security scanning. They typically contain:

• Datasets (e.g., anonymised health statistics).
• Internal tools and guidance documents.
• Research prototypes and front-end design elements.

Action: Create an inventory of all public repositories. For each one, ask:

1. Does it contain any live credentials, API keys, or secrets? (If yes, remove them immediately regardless of scanning.)
2. Does it include code that directly handles patient data? (If yes, review data protection compliance.)
3. Could an attacker use this code to compromise a production system? (Most front-end and utility repos pose minimal risk.)

Use a simple scoring system (low/medium/high) to prioritise those that actually need attention. Repositories scored as low risk should not be closed.

Step 2: Gather Evidence of Open Source Safety and Success

Eden’s experience with the NHS COVID-19 Contact Tracing app is a powerful example. That app was open-sourced immediately, subject to intense scrutiny from hostile actors, yet caused zero security incidents. This demonstrates that transparency does not inherently lead to vulnerabilities.

Action: Compile similar case studies from your own organisation or trusted peers. Document:

• Number of open-source projects and their track record.
• Any security incidents that were detected and fixed more quickly because the code was open.
• Positive outcomes such as community contributions, peer reviews, and improved code quality.

Present this data in a clear, one-page summary to share with decision-makers.

Step 3: Identify Policy Contradictions

The proposed closure of NHS repositories directly contradicts the UK's Technology Code of Practice point 3, which states: "Be open and use open source." This policy mandates that government organisations should prefer open-source solutions and publish code whenever possible.

Action: Collect official policy documents and highlight the inconsistency. Prepare a brief memo that quotes the relevant policy and explains how the closure would violate it. Add a note that such a move could also undermine public trust and collaboration with the developer community.

Step 4: Engage with Decision-Makers and Stakeholders

Armed with your risk assessment, evidence, and policy analysis, it's time to communicate. Decision-makers may have been influenced by vendor FUD (fear, uncertainty, doubt) or a lack of technical understanding.

Action: Schedule a meeting or write a formal proposal that includes:

1. A clear statement of the problem (the overreaction to LLM scanning).
2. Your risk assessment results (most repos are low-risk).
3. Evidence of open-source safety (e.g., the contact tracing app case).
4. The policy contradiction (point 3 of the Tech Code of Practice).
5. An alternative approach: instead of closing all repos, implement enhanced monitoring, automated secret scanning, and a rapid patch process for truly risky code.

Use non-technical language where possible, but be prepared to answer detailed questions about scanning tools and their limitations.

Step 5: Propose Alternative Security Measures

Closing repositories is a blunt instrument. More sophisticated approaches can address LLM-driven vulnerability discovery without sacrificing openness.

Action: Suggest a two-pronged strategy:

• Pre-publication scanning: Before making code public, run it through static analysis tools (e.g., SonarQube, Snyk) and manual reviews. This catches many common issues.
• Post-publication monitoring: Use tools that detect leaked credentials or suspicious activity in forks. Implement a responsible disclosure policy so that external researchers can report findings safely.

This approach maintains transparency while proactively managing risk.

Common Mistakes

Overreacting to LLM Capabilities

Mistake: Assuming that all LLM-based scanners are equally effective and that any found vulnerability will lead to a catastrophic breach.
Correction: Real-world performance of these tools varies widely. Most repositories contain low‑impact data or code that is already hardened. Focus on actual risk, not hypotheticals.

Ignoring Existing Policies

Mistake: Making decisions that contradict government or organisational policies (like the Tech Code of Practice) without a proper review.
Correction: Always cross-check proposed changes against binding policies. Flag contradictions early and seek legal or compliance guidance if needed.

Closing All Repositories Equally

Mistake: Treating a sensitive authentication module the same as a dataset of hospital opening hours.
Correction: Use a risk-based approach. Close only those repositories that genuinely contain high‑risk code and cannot be secured through other means.

Forgetting the Community Benefit

Mistake: Underestimating the positive impact of open source on innovation, peer review, and public trust.
Correction: Remember that many security improvements come from external contributors. A blanket closure shuts off that pipeline.

Summary

The NHS’s plan to close almost all its open-source repositories in response to LLM‑powered vulnerability scanning is a reaction that lacks proportionality. As this guide shows, a more effective approach is to: assess real risks, gather evidence of open‑source safety (including successful high‑profile projects like the COVID‑19 app), cite contradictory policies, engage constructively with decision‑makers, and propose targeted security measures instead of blanket closures. By following these steps, healthcare organisations can preserve the benefits of open source while responsibly managing security.

Remember, openness and security can coexist. The key is to use evidence and policy, not fear, as the foundation for decision-making.