You are responsible for an external integration layer that exposes patient and claims workflows to partner systems over HTTP APIs. A legacy partner uses SOAP with WS-Security, while a newer integration is being proposed as a RESTful API using JSON over HTTPS. The platform handles regulated healthcare data, and the main concern is not just protocol choice but how the choice changes authentication, authorization, message integrity, observability, and incident response.
How would you explain the purpose of RESTful APIs and the practical differences from SOAP in a security-sensitive environment, and how would those differences influence your design for authentication, transport security, request validation, logging, and monitoring for a healthcare exchange API?