How do we give mom a reasonable assurance that her family’s health data will not be phished?

You don’t and can’t.

We had fraud and falsification in the past, before computers, and we’ll have it in the future. If people can make money by subverting things they will be subverted. You can make it hader by adding encryption and trust algorithms (PKI, Trusted Computer, HTTPS, AES), but in the end you have to draw a line somewhere (app, OS, BIOS, TPM chip, Marine with shiney shoes and a .45 ACP) and that’s where the attacks will happen.

That movie is beautifully done. But at the end we’re back to the same place. How do we give mom a reasonable assurance that her family’s health data will not be phished?

There are, of course, cryptographic protocols that could be used to verify a client application.

and

How are you going to walk her through the protocols necessary to assure that a client application she downloads from the Net is properly certified for use with HealthVault

But the first Immutable Law of (Computer) Security is

If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

Of course you can try embedding “trusting computing” in the hardware, but that simply brings up the question of who do you trust?.