British media had reported previous year that most public health organisations were using an outdated version of Microsoft Windows that was not equipped with security updates.
"This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers", Smith said.
As a loose global network of cybersecurity experts fought the ransomware, the attack was disrupting computers that run factories, banks, government agencies and transport systems in scores of countries, including Russia, Ukraine, Brazil, Spain, India and Japan, among others. The Administration noted that this global attack shows again the unprecedented challenges ahead in terms of Internet security.
Still, only a small number of US-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.
Computers and networks that hadn't recently updated their systems are still at risk because the ransomware is lurking.
The U.K. government's cyber office put it succinctly: "T$3 he way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks".
For instance, the Conficker virus, which first appeared in 2008 and can disable system security features, also spreads through vulnerabilities in internal file sharing.
"WannaCry" infected computers are frozen and display a big message in red informing users, "Oops, your files have been encrypted!" and demanding about $300 in online bitcoin payment. Microsoft did release a patch for the vulnerability in March.
"You can point a lot of fingers, but I think given that this was not a zero-day vulnerability (for which no patch is available), the people hacked are to blame", said Robert Cattanach, a partner at the worldwide law firm Dorsey & Whitney and an expert on cybersecurity and data breaches. "Software updates and security patches are pushed to us as needed so that we are using the most current approved versions of software on our computers".
A Microsoft spokesman reached Sunday said the company had no comment. It has attacked hundreds of thousands of computers, security experts say, from hospital systems in the United Kingdom and a telecom company in Spain to universities and large companies in Asia.
Local media reported Monday that patients arriving at Dharmais Cancer Hospital over the weekend were unable to get queue numbers and had to wait several hours while staff worked with paper records. "But there's clearly some culpability on the part of the US intelligence services".
In Britain, many hospitals and clinics that are part of the country's national health service were still having computer problems.
The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.
He adds that governments should report vulnerabilities like the one at the center of the WannaCry attack.
The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.
The UK government called a meeting of its crisis response committee, known as Cobra, to discuss how to handle the situation.