How to Evaluate the Impact of Removing Open-Source Code for AI Security in Healthcare

By ✦ min read

Introduction

In an era where artificial intelligence (AI) models like Mythos can exploit vulnerabilities in software code, healthcare organizations face a tough choice: keep their open-source projects visible to foster transparency and collaboration, or hide them to reduce the risk of AI-driven hacking. The recent decision by NHS England to pull its open-source software from the internet has sparked significant backlash, with critics arguing that removing code hampers transparency and efficiency without actually improving security. This guide will walk you through the steps to make an informed decision for your own organization, weighing the pros and cons while considering the unique pressures of healthcare IT.

What You Need

• Current inventory of all open-source software and dependencies used in your healthcare systems.
• Security audit reports that identify known vulnerabilities, especially those that could be targeted by AI-driven hacking tools.
• Stakeholder input from developers, cybersecurity teams, legal advisors, and patient advocacy groups who value transparency.
• Risk assessment framework to quantify threats (e.g., likelihood of attack versus impact on patient safety).
• Policy templates for modifying open-source license terms or moving to private repositories.
• Communication plan to address concerns from the developer community and the public.

Step-by-Step Guide

Step 1: Understand the Threat Landscape

Before making any changes, you must grasp how AI models can exploit open-source code. Systems like Mythos use machine learning to scan public repositories for vulnerabilities, then craft targeted attacks. Research specific examples relevant to healthcare—such as breaches of patient data or disruption of critical systems. Document the types of attacks that are most likely given your current codebase. This knowledge will frame your entire decision-making process.

Step 2: Audit Your Open-Source Software

Create a comprehensive list of all open-source components in your organization. Classify them by criticality (e.g., mission-critical, non-essential), exposure (public vs. internal use), and the sensitivity of data they process. Use automated tools to scan for known vulnerabilities and map them against AI threat databases. Pay special attention to libraries that are widely used but poorly maintained—they are prime targets for AI hackers.

Step 3: Evaluate the Security Impact of Removing Code

Removing open-source code from the internet may reduce the attack surface for AI-driven scans, but it does not eliminate all risks. Analyze whether hiding the code truly prevents sophisticated attackers from reverse-engineering your systems. Consider the concept of “security through obscurity”—while making code private can slow down some attacks, it may also hide vulnerabilities from well-meaning researchers who could help fix them. This step is crucial to avoid the mistake NHS critics highlight: the measure might not improve security at all.

Step 4: Assess Transparency and Efficiency Gains

Open-source software often brings benefits that go beyond code availability. It enables peer review, rapid bug fixes, and community-driven innovation. Interview your development team to understand how much they rely on external contributions. Quantify the efficiency gains: for example, how many hours per month are saved by using community patches? Also evaluate the reputational cost—removing code can erode trust with patients and partners who expect transparent handling of health data. NHS England’s move has drawn criticism precisely because it sacrifices these advantages for uncertain security gains.

Step 5: Explore Alternatives to Complete Removal

Before committing to hiding all open-source code, consider middle-ground solutions. Options include:

• Delayed publication: Release code only after vulnerabilities are patched.
• Private repositories with controlled access: Keep code hidden from public but share with trusted auditors.
• Enhanced monitoring: Instead of hiding, invest in AI-based threat detection that can spot attacks early.
• License changes: Switch to a license that discourages malicious use without restricting visibility.

Each alternative has trade-offs; weigh them against the original goal of reducing AI hacking risk.

Step 6: Engage Stakeholders and the Public

Transparency advocates, patient groups, and the open-source community will have strong opinions. Hold consultations with key stakeholders to explain your reasoning and gather feedback. If you decide to remove code, be prepared for backlash similar to what NHS England faces. Communicate clearly why the change is necessary, what security benefits you expect, and how you will maintain efficiency without public collaboration. This step can help mitigate resistance and even lead to better solutions.

Step 7: Implement the Chosen Strategy

Put your plan into action. If you opt for removal, systematically take down repositories, update documentation, and redirect community contributors to private channels. If you choose an alternative, configure access controls, set up automated security scans, and communicate the new workflow to your team. Document the process thoroughly so you can measure outcomes later.

Step 8: Monitor and Iterate

After implementing changes, continuously monitor for new AI threats and evaluate whether your decision is working. Track metrics like incident frequency, developer productivity, and public feedback. If the security benefits are minimal and the costs high, you may need to reverse course—just as NHS opponents argue might happen. Regularly update your risk assessment and be willing to adapt as AI hacking tools evolve.

Tips

• Start small: Pilot your strategy with a non-critical project before rolling out to all software.
• Keep a public archive: Even if you remove active code, consider leaving a read-only copy for historical reference—it can help researchers understand your systems without enabling attacks.
• Invest in AI defense: Instead of solely focusing on hiding code, also develop internal AI tools to detect and mitigate attacks in real time.
• Document your rationale: Publish a transparency report explaining your decision—this can turn critics into allies.
• Learn from NHS England: Their experience shows that backlash can be intense; prepare a strong narrative that balances security needs with the spirit of open-source collaboration.