You need to attempt to restore one of your backups. Does it include the data that you care about? Often it doesn't. I can help with that either by using your existing solution or by implementing a new solution.
Data does not really exist if it does not exist in at least 3 places.
Thou shalt not give clients and customers the password to the wifi network over which passes your data. It's not just a good idea, it's the law (if you have to comply with HIPAA).
Have a different wifi network for clients that grants them internet access but does not give them access to all of the unsecured data on your servers and workstations. This can be done with a single recent wifi router, or a pair of older wifi routers.
If you use wifi, make sure that you are using "WPA 2 128 bit" and the version of the firmware (the router's operating system) was released after October 2012. There was a security hole in older versions that allowed someone to compromise older versions of WPA and WEP in under 10 minutes from 50+ feet away.
Don't use just vnc or Remote desktop. If an attacker were to connect with Remote Desktop or VNC, the attacker could delete the log entries related to their visit.
This is a good practice for everyone, but If you need to comply with HIPAA, it is required to maintain compliance. Your remote access solution needs to make logs, and store the logs on a server where the logs cannot be purged by the person accessing the resource.
The session needs to be encrypted. UltraVNC makes logs, but it does not encrypt the session. TightVNC encrypts the authentication phase, but not the data. Remote Desktop encrypts both the session and the data, but does not save the logs in a location where they cannot be purged.
I use Logmein which does comply with HIPAA. Logmein both encrypts the session and the data and stores logs that cannot be purged. However it is not free, but that is OK, i pay for it. For people on my monthly plan, I will grant the staff of your choice a sub account which lets them access some or all of your computers.
The "end Of Life" for Microsoft Windows XP was April 13th 2014. After that date Windows XP gets no further security updates. Hackers have known about this date for a year before it occurred, and had been saving up many of their attacks to be released after Windows XP would no longer be fixed. After April 13th 2014 there was a rash of problems, with the only ones being addressed were the ones that also affected other versions of windows. For the past few months there have been no updates.
Because of this end of support for Windows XP. It is not legal to use windows XP to both access patient data and to use the internet.
This does not mean that you have to stop using Windows XP completely, it just means that you have to stop using it on workstations that access the internet and client data. Disabling Internet access can be as simple as removing the gateway address for your TCP IP settings (You need to be using, or convert to static IPs from DHCP to do this a task that either needs network documentation or 10 minutes per PC).
Some hardware only works on Windows XP. Or that is what the software says, you can often still install it on Windows 7 64 bit, and it will work. Other software will still work on Windows 7, but requires the 32 bit version of windows 7. If you purchase a new PC, it will always have the 64bit version of windows installed. In order to get the 32 bit version of windows installed, the hard drive first needs to be erased then windows and all of the software needs to get re-installed. If you spent $10,000 for an xray sensor that works with your existing patent management and imaging system, it is much less expensive to replace the operating system and computer than replace your proprietary sensor and practice management software.
If you insist on using windows XP, or are using it in the short term, then at least stop using Internet Explorer, and use google chome http://google.com/chrome or Firefox http://firefox.com instead.
Also upgrade adobe acrobat reader and adobe flash from http://www.adobe.com/downloads.html . Click on the relevant link in the upper right hand corner, and make sure to uncheck the bundled optional software.
As part of my monthly plan I upgrade the browsers and plugins on all of your workstations so your employees are less likely to get malware when they attempt to install those updates.