The UK's security minister's comments follow a report on the WannaCry attack from the UK's National Audit Office (NAO) also released on Friday.
The WannaCry attack hit businesses and government services worldwide as it infected more than 300,000 computers in 150 countries in a matter of days.
The NAO's probe found that nearly 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled.
In 2014, the Department of Health and the Cabinet office wrote to NHS Trusts asking them to make sure they had "robust plans" to move away from old software by April 2015.
WannaCry was "a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice", said Sir Amyas Morse, comptroller and auditor-general of the NAO.
For example, the Secretary of State for Health asked the National Data Guardian and the Care Quality Commission to undertake reviews of data security, with reports published in July 2016 that warned the Department of Health that cyber attacks could lead to patient information being lost or compromised.
The NHS has huge security failings and could have prevented the WannaCry attack earlier this year, according to a government report. These costs include: cancelled appointments; additional IT support provided by local NHS bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.
According to NHS Digital, the attack could have been prevented by installing security patches and correctly implementing firewalls on outdated and unsupported NHS computers.
The report adds that no hospital paid the required ransom, but that the total costs from the disruptions and cancellations were not known.
Court Grants Undocumented Teen Access to Abortion
Instead, shelters for undocumented minors may support only "pregnancy services and life-affirming options counseling". The Central American girl was apprehended earlier this year after crossing the U.S. -Mexico border in September.
It had been warned about the risks of cyberattacks more than a year before. Equally, we need to think carefully about how effective the NHS is, if the Department of Health and bodies like NHS Digital have little central control or insight.
Meanwhile IT systems at the Cumberland Infirmary were also hit.
To be fair, the Department of Health had developed a plan - it was just that it had not been properly communicated or tested in the NHS trusts.
As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.
But Meg Hillier, chairman of the Commons Public Accounts Committee, said: "The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment".
Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 - that had not been updated to secure them against such attacks.
The NAO said the NHS "has accepted that there are lessons to learn" from WannaCry and will now develop a response plan.
In one way, the NHS was lucky - if, instead of a Friday in May, the attack had taken place on a Monday in winter, with a week's appointments affected, the damage would have been far worse.