The mobile device must allow remote data destruction in case of loss.
HIPAA Security Rules 164.310(d)(2)(i): Disposal: Implement policies and procedures to address the final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.
HIPAA Security Rules 164.312(e)(2)(i): Integrity Controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.25): Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.31) Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.6): Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeros or random data.