FWIW, we would expect a wide variety of potential file types across images, documents (text, PDF, Word, etc.), and videos to support a wide variety of use cases (documentation, clinical images, scanned files, data from ancillary systems, patients uploading documentation or images for their provider, etc.).
Blocking obvious bad players (e.g., executables and scripts) would be a good place to start.