His desktop may be running XP. It doesn’t mean that his server ( where his records are kept) is running XP. Now XP can be used as a vector to attack the server, but that does not necessarily mean the server is insecure.
Maybe he’s still getting XP Updates ?
Lots of systems, primarily government, are getting updates. I use XP on several machines in my office. Updates are out there.
They aren’t automatic - but they are still out there. And if it’s an XP machine using RDP 10+ and he’s doing his stuff through RDP / Citrix then he’s fine.
Oh, and my credibility on the subject : I’m an I.T. Systems Analyst with a focus on Law and Medicine. I am HIPAA certified and even helped draft sections in HIPAA compliancy.
My website is www.northeastanalysis.com and my company is Northeast Analysis. That’s me on the front page.