Short story: On April 8, 2014, after you call to wish me a divine natal celebration, Microsoft stops patching XP. Before this amazing day, you should have replaced all your XP machines, or have them so severely disabled that they are nearly useless.
Longer story: There are many web pages advising about this issue, try https://startpage.com/do/search Because the long line of Microsoft operating systems (NT, 2000, XP, Vista, 7, 8, ...) share components --even today-- once a juicy exploit is discovered in say Windows 7, Bad Guys will use that exploit knowledge to create malicious code that will compromise XP.
XP that is connected to the internet or your network possibly exposes you to violation(s) of HIPAA requirements. This is because XP by April, 2014, will receive no security updates from Microsoft. You might say, "But we have anti-virus and anti-malware that is still updating!" Yes, but these new exploits may precede the detection and fix process in those protection softwares. The best plan is to replace XP as soon as you can. Reduce risk and be safe. Right. Now.
Windows Server 2003 has a similar fate in July 2015.
Postscript: Here are some of the relevant HIPAA regulations.
§164.306 Security standards: General rules.
(a) General requirements. Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
§164.308 Administrative safeguards.
(1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
(6) (i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.
(ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.