The mobile device must allow remote data destruction in case of loss.
HIPAA Security Rules 164.310(d)(2)(i): Disposal: Implement policies and procedures to address the final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.
HIPAA Security Rules 164.312(e)(2)(i): Integrity Controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.25) Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.31) Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.6) Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeros or random data.