Needs to be close by.
Having done some work for one of these companies (it was a few years ago!) my understanding is that the "controller" (actually a laptop PC) needs to be in close proximity to the "subject". They usually use "induction", not radio frequency to couple to the device implanted (at least that is what I saw).
Yes, security is not something the device vendors, or the FDA thinks about. Lots of medical devices have "unpatched" windows environments because the vendors haven't gone thru the process of verification with the latest of windows patches. Most of the time these computers are not connected to a network (they usually don't need to be!), but sometimes they do get connected, and then the malware arrives with evil intentions.
On the ICD I did some work on they used a 65C02 processor, which they needed to get certified outside the normal supply chain (look at any datasheet for ICs and it usually says "not for life critical..."). Then they need to get ALL the software to pass FDA rules (lots of time and $$$). By the time everything is done, the development cost is HUGE. Then they deploy the stuff, and the added cost of a laptop per inplantable device is "small potatoes", so they just build it into the kit.
In my book the big problem is the controlling box (laptop) used to program the implant to do its thing (parameters per subject). As usual, security isn't a big consideration since most of the development is in an isolated environment.
It was interesting how the company "solved" problems in the test environment. It ended up being 4 (yes four) Windows boxes (it was W95) and a logic analyzer to test the ICD which had a 65C02 processor (same as Apple 2). Need something, add more hardware! In order to get the timing for the network between the 4 cpu's right, they even incorporated a relay to cutoff the network from outside the 4 cpu's. Oh, well. It was windows, they didn't even try anything else.