The UK’s National Audit Office (NAO) has said the country’s health service failed to “follow best practices” to prevent the WannaCry cyberattack.

The National Health Service (NHS) was one of the first major victims of May’s international Bitcoin ransomware, which demanded users pay $300 in order to regain access to infected computers.

Despite being a “relatively unsophisticated attack,” the NAO said in a new report, the NHS was easy prey. WannaCry “could have been prevented by the NHS following basic IT security best practice.”

“There are more sophisticated cyber-threats out there than WannaCry, so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks,” it advised.

The report comes as a new variety of ransomware known as Bad Rabbit makes its way across the world, infecting public computer systems in Russia, Ukraine, elsewhere in Europe and even Japan.

WannaCry was the most prolific attack of its kind, spreading easily due to a conspicuous lack of security guarding the IT systems of its victims.

“The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment,” Meg Hillier, chair of the UK government’s public accounts committee reiterated.

“...The NHS and the department need to get serious about cybersecurity or the next incident could be far worse.”

Though the discovery of an antidote, WannaCry’s effect was limited after a certain point, and the attack was notable for the correspondingly meager amounts collected by hackers. This led Russia’s Internet advisor Herman Klimenko even to suggest the perpetrators were children.