Burton's Queen's Hospital is upgrading IT systems in the wake of fears that NHS trusts are at increasing risk from cyber attacks following a worldwide computer scare.
Although the Belvedere Road hospital was not hit by the WannaCry ransomware in May this year, local bosses decided to switch off all IT systems as a precautionary measure.
The government report found that NHS trusts were left vulnerable in the attack because cyber-security recommendations were not followed. According to the National Audit Office, more than a third of trusts in England were disrupted and at least 6,900 NHS appointments cancelled as a result of the attack.
NHS England said no patient data had been compromised or stolen and praised the staff response.
Jonathan Tringham, director of finance, information, performance and estates at Burton's Queen's Hospital, said: "The trust took the decision to switch off its IT systems as a precautionary measure to prevent a cyber attack back in May.
"This allowed our hospitals to remain protected against any outside intrusion and ensure that our clinicians could continue treating patients safely.
"Our staff went above and beyond the call of duty to ensure that patient services continued without interruption and disruption was kept to a minimum.
"Along with every other NHS Trust in the country, we continue to upgrade our information systems to ensure we have the necessary protection to help prevent a future attack of this nature."
The National Audit Office said the Department of Health and the NHS must "get their act together" as a result of the findings of the report.
WannaCry, which spread to more than 150 countries in a worldwide ransomware outbreak beginning on May 12, was the biggest cyber-attack to date to hit the NHS.
The malware encrypted data on infected computers and those responsible demanded a ransom roughly equivalent to £230 ($300).
The report said there was no evidence that any NHS organisation paid the ransom - but the financial cost of the incident remained unknown.
It said NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software.
The Department of Health also lacked important information, the report said. Organisations could also have better managed their computers' firewalls - but in many cases they did not, it said.
NHS organisations have not reported any cases of harm to patients or of their data being stolen as a result of WannaCry.
NHS England has identified 6,912 appointments - including operations - that were cancelled as a direct result of the ransomware, according to the BBC.
But it estimated that about 19,000 appointments in total may have been affected. The National Audit Office said the NHS "has accepted that there are lessons to learn" from WannaCry.
