In general, however, Palma said there are three types of tangible security procedures that can bring mobile devices, and the data they carry, into compliance:
Authentication of devices and users.
Encryption of data.
The "remote kill." This enables IT personnel to remotely delete data on wireless devices such as smartphones once they are known to be missing. Such capabilities typically are provided by mobile device management software.
These broad elements are closely related to central management of mobile devices, another key aspect of mobile compliance efforts, Palma added.
"You need to centrally manage and push [changes] out to all types of devices and have a consistent approach because when it comes back to compliance, that's what you need," he said.
One of the solutions is to encrypt the entire device, not just individual files on it. "We encrypt the entire [device] one level below the operating system so if the machine is lost or the disk is stolen, it can't be read..." USB drives, PDAs, convergent devices, laptops. If you truly must have PHI on mobile devices, make it useless to unauthorized users.