The Department of Health also does not know how much the disruption to services cost the NHS, the watchdog said, publishing its probe into the WannaCry incident earlier this year.
As well as cancelled appointments, costs will have included additional IT support, of restoring data and systems, and overtime for national and local NHS staff in the weekend following the attack.
WannaCry, which hit on 12 May this year, was the largest attack on the NHS in England, affecting at least 34% of trusts as well as almost 600 GP practices. However, neither the DH nor NHS England know the full extent of the disruption.
The NAO also noted that, in March and April this year, NHS Digital has issued critical alerts warning organisations to patch their systems to prevent WannaCry.
However, there was no formal mechanism in central government to assess whether local NHS bodies were complying with this advice.
According to NHS Digital, all organisations affected by the virus could have taken relatively simple preventative action to protect their systems.
NAO head Amyas Morse said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security and best practice.”
He urged the DH and the NHS to “get their act together” to ensure the health service is better protected in future.
Dan Taylor, NHS Digital’s head of security, said the health service “responded admirably” to the WannaCry attack.
“We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations,” he said.
Ben Clacy, director of development and operations at NHS Providers, said: “The NHS is taking steps at national and local level to prepare for the next attack.
“Part of this is to ensure that trusts apply software patches and keep anti-virus software up to date. And there are lessons too around communication, both within the NHS and with the wider public.
“And this incident was a powerful reminder that we need significant capital investment to ensure we can deal with the threat of cyber crime in the future.”
Raj Samani, chief scientist and fellow at McAfee, commented: “Recognising our dependency on technology and managing the risks to reduce the likelihood of disruption from further attacks being realised must be a priority.”
Geoff Connell, resident of the Society for IT Practitioners in the Public Sector (Socitm), told PF in May the international ransomware incident, which have affected 60 NHS organisations since Friday, was a “wake-up call” to the whole public sector.
Read PF’s feature on cyber security here
