A report from the National Audit Office into the impact of the WannaCry ransomware on the NHS has found that more than a third of all trusts in England were affected by the malware.
The investigation also found that the Department of Health was warned about cyber attacks directed at the NHS a full year before WannaCry wormed its way through trusts, but hadn't formally responded until July this year.
Although the DoH and Cabinet Office wrote to trusts in 2014 about migrating away from legacy software, there was no formal assessment mechanism to see if they had until the first wave of attacks took place.
The NAO found that no NHS trusts actually paid the ransom, but the DoH isn't certain on the wider costs of cancelled appointments, additional IT support or restoring systems data. Worryingly, it acknowledges that the attack could have caused even more disruption were it not for the efforts of the lone infosec researcher that found a sort of kill switch in the code.
NHS England responded by focusing first on maintaining emergency care, while NHS Digital said all organisations that were hit by WannaCry shared the same vulnerability and "could have taken relatively simple action" to protect themselves.
But on the plus side, NHS organisations are learning from the devastating attack, including securing local firewalls.
Head of the NAO Amyas Morse said: "The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
"There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."