I think there's a problem here which isn't unique to the NHS. In fact its endemic through just about every business and government body that uses IT.
It's "we're a medical/banking/insurance/manufacturing/..... organisation, not IT".
And yet IT is central to whatever they try to do but, because "we're not an IT organisation", they try to outsource everything to the lowest bidder. The essential awareness of risks and opportunities alike is lost. At least it's lost at the top of the organisation, it might not be lost at the coal face but, because those coal face people are on low pay grades and their opinions are worth what they're paid, and because any large organisation has a built-in reality distortion field to ensure cries of distress from below arrive at the top as messages that all's well, that awareness stays at the bottom.
A Wannacry, a DC outage for a few days or whatever has no effect. It's not perceived as a consequence of top-level decisions or of the corporate culture. It's an external problem, a cleverly contrived attack or a one-off failure of a piece of kit that "we can't plan for". No, you can't plan for it because you've lost the ability to do so. You need to get that ability back because, whether you like it or not, it's one of those things you need to do and do well.