It's worse than that, they were being asked by a security firm (ie this was a PR exercise) if they had any staff who'd had 'security training'.
So apart from the fact that this is only being reported on because a company's marketing department saw a good way to get attention, it also begs the question, exactly what kind of 'security training' would be useful? All the people I'd trust to secure a system have exactly zero formal training. From my own experience of IT training, although I did learn stuff, the actual certification just showed that you could complete and exam, not that you had any aptitude for the subject.
So, perhaps the NHS has no competent security staff, or perhaps it has lots who've never had the budget to be sent on an overpriced training course just so they can put a line on their CV saying "security trained". This PR piece doesn't really give us the information to decide.