NHS England quietly removes open source policy web pages

NHS England has removed open source policy pages from its websites without any announcement or explanation to the public.

Open source software allows source code to be publicly available to view and scrutinise, in contrast with closed sourced software, which only allows the vendor to see how the system works.

Dr Marcus Baw, freelance software developer and clinical informatician, shared his concerns with Digital Health News about the removal of the open source policy pages, which are now showing 404 errors “with no explanation, consultation or replacement” from NHSE.

“NHS England had a fairly high-profile open-source programme about 10 years ago. Clearly at some point the NHS thought that open source was both a valid thing to do and important,” Baw said.

He explained that open source underpins most of the modern tech industry, including cloud infrastructure, internet servers, databases, Android, Chrome, Linux, and much of big tech’s internal systems, allowing innovation and sharing across different organisations.

“Greater open source in the NHS will drive down the costs significantly for infrastructural items and a lot of our tech spend would go down in cost and we would also be less dependent on external US-based companies,” he said.

It can also help prevent issues such as the post office scandal, in which accounting errors from Fujitsu’s faulty Horizon IT system led to more than 900 sub-postmasters being wrongly prosecuted for fraud, with 13 people committing suicide as a result.

“A huge amount of the infrastructure that we use for the web is open source and when an error is discovered, it’s reported and fixed within hours sometimes.

“The Horizon IT was closed source code. We still don’t have access to that source code and therefore even in the court case for Horizon, they were not able to work out what went wrong in every case.

“If it was open source, someone would have found the issue and it would have been fixed a lot sooner and possibly some people would have not died and some people certainly wouldn’t have gone to jail.”

A spokesperson for NHSE told Digital Health News that the open source pages were removed as part of a regular clean-up exercise for the NHS website, because the policies ceased to exist when NHSX was merged into NHS Digital and NHSE in 2021.

They added that NHSE follows the government service standards for building services, which describe the NHS’s open source policy.

However a source working with NHSE told Digital Health News that the policies had been removed because of security concerns and because NHSE does not believe it has the capacity to maintain open source software, concerns which Baw calls “ill-founded”.

“Having access to the source code doesn’t mean that you can fiddle with the running software. How the code is built is public, but the data is private,” he explained.

“If the NHS has decided to shun open source for whatever reason, it’s wrong,” he said.