The cyber-attack affected NHS services for a week from Friday 12 May, with the Department of Health, NHS England, NHS Digital, NHS Improvement and the National Cyber Security Centre working together to try to resolve the situation.
The attack, which UK security minister Ben Wallace has since attributed to the North Korean government, affected a third of NHS trusts across England and around 7,000 patient appointments were cancelled as a result.
In its report the NAO said the DH had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but, crucially, it had not tested the plan at a local level.
As the NHS had not rehearsed for a national cyber-attack it was not immediately clear who should lead the response and there were problems with communications
National Audit Office report into the WannaCry attack
The report said: "This meant the NHS was not clear what actions it should take when affected by WannaCry… as the NHS had not rehearsed for a national cyber-attack it was not immediately clear who should lead the response and there were problems with communications."
Communications with patients were confused, according to the report.
The NAO said: "Communications to patients and local organisations also came from a number of sources. These included the National Cyber Security Centre, which was providing support to all UK organisations affected by the attack, NHS England and NHS Digital."
By 4pm on the first day, NHS England had declared the cyber-attack a major incident and a few hours later it initiated its ‘Emergency, Preparedness, Resilience and Response’ plans to act as the single point of co-ordination.
However, in the absence of clear guidelines for the response, "local organisations reported the attack to different organisations within and outside the health sector, including local police".
There was praise for how frontline NHS staff met the challenges thrown up by the cyber-attack, with some forced to use mobile phones or WhatsApp to communicate with each other.
The NAO said: "Frontline NHS staff adapted to communication challenges and shared information through personal mobile devices, including using the encrypted WhatsApp application. NHS national bodies and trusts told us that this worked well on the day although is not an official communication channel."
The report said the NHS had learned comms and strategy lessons from the attack, including the need to:
• Develop a response plan setting out what the NHS should do in the event of a cyber-attack and establish the roles and responsibilities of local and national NHS bodies and the Department of Health.
• Ensure essential communications are getting through during an incident when systems are down.
There was also a need for an internal comms exercise, the NAO report said, to "ensure that organisations, boards and their staff are taking the cyber threat seriously".
She added: "We could have been quicker on getting a single message out to the public about the scale of the incident."
Royall, who is currently planning an exercise with external agencies to test responses to a future attack, added: "What worked well at a national level was the operational information that went out to the network but what didn’t work well was understanding how we’re going to communicate with each other when an email network is down."